Most of the operations you perform in Cloud Storage must be
authenticated. The only exceptions are operations on resources that allow
anonymous access. A resource has anonymous access if the allUsers group is
included in the ACL for the resource or if the allUsers group is included in
an IAM policy that applies to the resource. The allUsers group
includes anyone on the Internet.
Authorization is the process of determining what permissions an authenticated
identity has on a set of specified resources. OAuth 2.0 uses scopes to
determine if an authenticated identity is authorized. Applications use a
credential (obtained from a user-centric or server-centric authentication flow)
together with one or more scopes to request an access token from a Google
authorization server to access protected resources. For example, application A
with an access token with read-only scope can only read, while application B
with an access token with read-write scope can read and modify data. Neither
application can read or modify access control lists on objects and buckets;
only an application with full-control scope can do so.
| Type | Description | Scope URL |
|---|---|---|
read-only |
Only allows access to read data, including listing buckets. | https://www.googleapis.com/auth/devstorage.read_only |
read-write |
Allows access to read and change data, but not metadata like IAM policies. | https://www.googleapis.com/auth/devstorage.read_write |
full-control |
Allows full control over data, including the ability to modify IAM policies. | https://www.googleapis.com/auth/devstorage.full_control |
cloud-platform.read-only |
View your data across Google Cloud services. For Cloud Storage,
this is the same as devstorage.read-only.
|
https://www.googleapis.com/auth/cloud-platform.read-only |
cloud-platform |
View and manage data across all Google Cloud services. For
Cloud Storage, this is the same as devstorage.full-control. |
https://www.googleapis.com/auth/cloud-platform |