Managed folders

This page provides an overview of managed folders in Cloud Storage, which exist as a resource and are different from simulated folders.

You can apply Identity and Access Management (IAM) policies to managed folders to grant principals access only to the objects within the managed folder, which lets you more finely control access for specific data sets and tables within a bucket. You can nest managed folders up to 15 levels deep, including the parent managed folder.

Managed folders can only be created in buckets that have uniform bucket-level access enabled.

IAM for managed folders

When you apply an IAM policy on a managed folder, the access granted in the policy also applies to any object within that bucket that has the managed folder's name as a prefix. For example, if you grant a principal the Storage Object Viewer (roles/storage.objectViewer) role on a managed folder named example-bucket/example-managed-folder/, the principal can view any object within example-managed-folder (such as example-bucket/example-managed-folder/example-object.txt). When you nest managed folders, the permissions granted through IAM policies are applied additively.

Read the following pages for more information about managed folders:

• Creating and managing managed folders

• Control access to managed folders

• ManagedFolder reference page for the JSON API

Managed folder names

The name you give to a managed folder must meet the following requirements:

• Managed folder names can contain any sequence of valid Unicode characters, of length 1-700 bytes when UTF-8 encoded.

• Managed folder names cannot contain Carriage Return or Line Feed characters.

• Managed folder names must end with /. At most, a managed folder name can have 15 /s. In other words, you can nest up to 15 managed folders.

• Managed folder names cannot start with .well-known/acme-challenge/.

• Managed folders cannot be named . or ...

It is strongly recommended that you avoid the following in your managed folder names:

• Control characters that are illegal in XML 1.0 (#x7F–#x84 and #x86–#x9F): these characters cause XML listing issues when you try to list your managed folders.

• The [, ], *, or ? characters: the Google Cloud CLI interprets these characters as wildcards, so including them in managed folder names can make it difficult or impossible to perform wildcard operations with the tool. Additionally, * and ? are not valid characters for file names in Windows.

• Sensitive or personally identifiable information (PII): managed folder names are more broadly visible than object data. For example, managed folder names appear in URLs for the object and when listing objects in a bucket.

Considerations

When working with managed folders, note the following considerations:

• Managed folders can be created in place of simulated folders, which means that you can create a managed folder and name it after an object's prefix, as long as there isn't already a managed folder using that name. For example, you can create a managed folder named my-folder/, even if you have an existing object named my-folder/object.txt. Note that the IAM policy on the managed folder my-folder/ will then apply to all objects that has my-folder/ as a name prefix.

• You can create child managed folders before the parent managed folder is created. For example, you can create a managed folder named my-folder-A/my-folder-B/ without first creating a managed folder named my-folder-A/.

• By default, you can't delete a non-empty managed folder that contains objects or other child managed folders. You can bypass this rule when using the allowNonEmpty parameter in a Delete ManagedFolder JSON API request.

What's next

• Create and manage managed folders.

• Learn about flat namespace folders.

• Upload objects to a Cloud Storage bucket.