Managed folders

This page provides an overview of managed folders in Cloud Storage. Managed folders are a type of folder on which you can grant IAM roles, so you have more fine-grained access control over specific groups of objects within a bucket. Managed folders exist as resources within Cloud Storage and are different from simulated folders, which operate with a flat namespace.

IAM for managed folders

When you apply an IAM policy on a managed folder, the access granted in the policy also applies to any object within that bucket that has the managed folder's name as a prefix. For example, if you grant a principal the Storage Object Viewer (roles/storage.objectViewer) role on a managed folder named example-bucket/example-managed-folder/, the principal can view any object within example-managed-folder (such as example-bucket/example-managed-folder/example-object.txt). When you nest managed folders, the permissions granted through IAM policies are applied additively.

Managed folders can only be created in buckets that have uniform bucket-level access enabled.

Read the following pages for more information about managed folders:

Managed folder names

The name you give to a managed folder must meet the following requirements:

  • Managed folder names can contain any sequence of valid Unicode characters, of length 1-1024 bytes when UTF-8 encoded.

  • Managed folder names cannot contain Carriage Return or Line Feed characters.

  • Managed folder names must end with /. At most, a managed folder name can have 15 /s. In other words, managed folders can be nested up to 15 levels deep.

  • Managed folder names cannot start with .well-known/acme-challenge/.

  • Managed folders cannot be named . or ...

It is strongly recommended that you avoid the following in your managed folder names:

  • Control characters that are illegal in XML 1.0 (#x7F–#x84 and #x86–#x9F): these characters cause XML listing issues when you try to list your managed folders.

  • The [, ], *, or ? characters: the Google Cloud CLI interprets these characters as wildcards, so including them in managed folder names can make it difficult or impossible to perform wildcard operations with the tool. Additionally, * and ? are not valid characters for file names in Windows.

  • Sensitive or personally identifiable information (PII): managed folder names are more broadly visible than object data. For example, managed folder names appear in URLs for the object and when listing objects in a bucket.

Considerations

When working with managed folders, note the following considerations:

  • Managed folders can be created in place of simulated folders, which means that you can create a managed folder and name it after an object's prefix, as long as there isn't already a managed folder using that name. For example, you can create a managed folder named my-folder/, even if you have an existing object named my-folder/object.txt. Note that the IAM policy on the managed folder my-folder/ will then apply to all objects that has my-folder/ as a name prefix.

  • You can create child managed folders before the parent managed folder is created. For example, you can create a managed folder named my-folder-A/my-folder-B/ without first creating a managed folder named my-folder-A/.

  • By default, you can't delete a non-empty managed folder that contains objects or other child managed folders. You can bypass this rule when using the allowNonEmpty parameter in a Delete ManagedFolder JSON API request.

What's next