This page describes the relationship between Google Cloud Platform Console projects and Cloud Storage resources. To learn more about Google Cloud Platform Console projects in general, read Projects in the Overview of Google Cloud Platform.
What is a project?
A project organizes all your Google Cloud Platform resources. A project consists of a set of users; a set of APIs; and billing, authentication, and monitoring settings for those APIs. So, for example, all of your Google Cloud Storage buckets and objects, along with user permissions for accessing them, reside in a project. You can have one project, or you can create multiple projects and use them to organize your Google Cloud Platform resources, including your Google Cloud Storage data, into logical groups.
When to specify a project
Most of the time, you do not need to specify a project when performing actions in Cloud Storage; however, several operations do require you to specify a project. In these cases, use either the project ID or the project number to identify the project you are referring to:
- Google Cloud Platform Console
- When using Cloud Storage with the Cloud Platform Console, you're automatically associated with a project. You can change projects using the drop-down menu at the top of the Cloud Platform Console window.
gsutil lscommands require you to specify a project, unless you have set a default project. If you have not set a default project, or if you would like to use a different project, use the
-pflag to specify a project. No other gsutil commands require you to specify a project.
- JSON API
The Cloud Storage Client Libraries, which use the JSON API, also require a project to be specified when using the libraries' methods for creating and listing buckets.
- XML API
Specify a project when listing buckets and inserting buckets. The project associated with these XML API requests is specified in the
x-goog-project-idHTTP header, as in the following example:
The header optional for other XML API requests or if you have set a default project for interoperable access.
Project members and permissions
For each project, you can use Identity and Access Management (IAM) to add team members who can manage and work on your project. IAM allows you to specify each team member's role or roles: different roles have permissions that allow a member to do different things within your project.
While many IAM roles can be set at both the project-level (thus applying to all buckets in the project) or the bucket-level (thus applying only to an individual bucket), there are several roles that you can only apply to a project. These roles are primitive roles. Primitive roles have the following properities for Cloud Storage:
|Role||Intrinsic Behavior||Modifiable Behavior|
||Members with this role can list buckets in the project.||Members with this role have, as a group, the
||Members with this role can list, create and delete buckets in the project.||Members with this role have, as a group, the
||Members with this role can list, create and delete buckets in the project. Within Google Cloud Platform more generally, members with
||Members with this role have, as a group, the
For a list of available roles that apply to Cloud Storage, see Cloud Storage IAM roles.
For instructions for adding, viewing, and removing members from roles at the project level, see Using IAM with projects.
As illustrated in the Modifiable Behavior column above, project team members may have additional access beyond that granted intrinsically by the primitive IAM roles. This additional access comes from two sources:
IAM roles applied to buckets: When a user creates a bucket, IAM roles are applied to it by default. You can edit this access once the bucket is created.
Access Control Lists (ACLs) applied to objects: When a user creates an object, an ACL is applied to it. The ACL can either be specified explicitly or applied by default. In either case, the ACL grants access specifically to the created object.
Note that in both cases, you can grant access to both individual users and all holders of a primitive role. Moreover, the access granted may be greater than the access that a user has in general for project, but not more restricted.