This page provides an overview of managed folders in Cloud Storage. Managed folders are a type of folder on which you can grant IAM roles, so you have more fine-grained access control over specific groups of objects within a bucket. Managed folders exist as resources within Cloud Storage and are different from simulated folders, which operate with a flat namespace.
IAM for managed folders
When you apply an IAM policy on a managed folder, the access
granted in the policy also applies to any object within that bucket that has the
managed folder's name as a prefix. For example, if you grant a principal the
Storage Object Viewer (roles/storage.objectViewer) role on a managed folder
named example-bucket/example-managed-folder/, the principal can view any
object within example-managed-folder (such as
example-bucket/example-managed-folder/example-object.txt).
When you nest managed folders, the permissions granted through
IAM policies are applied additively.
Managed folders can only be created in buckets that have uniform bucket-level access enabled.
Read the following pages for more information about managed folders:
ManagedFolder reference page for the JSON API
Managed folder names
The name you give to a managed folder must meet the following requirements:
Managed folder names can contain any sequence of valid Unicode characters, of length 1-1024 bytes when UTF-8 encoded.
Managed folder names cannot contain Carriage Return or Line Feed characters.
Managed folder names must end with
/. At most, a managed folder name can have 15/s. In other words, managed folders can be nested up to 15 levels deep.Managed folder names cannot start with
.well-known/acme-challenge/.Managed folders cannot be named
.or...
It is strongly recommended that you avoid the following in your managed folder names:
Control characters that are illegal in XML 1.0 (#x7F–#x84 and #x86–#x9F): these characters cause XML listing issues when you try to list your managed folders.
The
[,],*, or?characters: the Google Cloud CLI interprets these characters as wildcards, so including them in managed folder names can make it difficult or impossible to perform wildcard operations with the tool. Additionally,*and?are not valid characters for file names in Windows.Sensitive or personally identifiable information (PII): managed folder names are more broadly visible than object data. For example, managed folder names appear in URLs for the object and when listing objects in a bucket.
Considerations
When working with managed folders, note the following considerations:
Managed folders can be created in place of simulated folders, which means that you can create a managed folder and name it after an object's prefix, as long as there isn't already a managed folder using that name. For example, you can create a managed folder named
my-folder/, even if you have an existing object namedmy-folder/object.txt. Note that the IAM policy on the managed foldermy-folder/will then apply to all objects that hasmy-folder/as a name prefix.You can create child managed folders before the parent managed folder is created. For example, you can create a managed folder named
my-folder-A/my-folder-B/without first creating a managed folder namedmy-folder-A/.By default, you can't delete a non-empty managed folder that contains objects or other child managed folders. You can bypass this rule when using the
allowNonEmptyparameter in aDeleteManagedFolder JSON API request.Managed folder names are visible in error messages and Cloud Audit Logs when a request to delete a folder that has a managed folder at the same path fails, even without explicit
storage.managedFolders.getorstorage.managedFolders.listpermissions.
What's next
Learn about simulated folders.
Upload objects to a Cloud Storage bucket.
Learn about the best practices for using managed folders.