This page describes the relationship between Google Cloud Console projects and Cloud Storage resources. To learn more about Google Cloud Console projects in general, read Projects in the Overview of Google Cloud.
What is a project?
A project organizes all your Google Cloud resources. A project consists of a set of users; a set of APIs; and billing, authentication, and monitoring settings for those APIs. So, for example, all of your Cloud Storage buckets and objects, along with user permissions for accessing them, reside in a project. You can have one project, or you can create multiple projects and use them to organize your Google Cloud resources, including your Cloud Storage data, into logical groups.
When to specify a project
Most of the time, you do not need to specify a project when performing actions in Cloud Storage; however you should include either the project ID or the project number in the following cases:
When using Cloud Storage with the Cloud Console, you're automatically associated with a project. You can change projects by using the drop-down menu at the top of the Cloud Console window.
When first accessing a bucket that has enabled Requester Pays, you're prompted to select a project to bill requests to. You can subsequently change the billing project by using the Change project button located above the list of objects in the bucket.
gsutil ls, and
gsutil kmscommands require you to specify a project, unless you have set a default project. If you have not set a default project, or if you would like to use a different project, use the
-pflag to specify a project. No other gsutil commands require you to specify a project.
-uflag, along with a project ID, to indicate the project to charge for bucket access. This is required when accessing a bucket that has enabled Requester Pays and is optional otherwise.
To indicate a project to charge for bucket access, use the 'userProject' query paratemer, along with a project ID, as in the following example:
This query parameter is required when accessing a bucket that has enabled Requester Pays and is optional otherwise.
Specify a project when listing buckets and inserting buckets. The project associated with these XML API requests is specified in the
x-goog-project-idHTTP header, as in the following example:
The header is optional for other XML API requests or if you have set a default project for interoperable access.
To indicate a project to charge for bucket access, use the 'x-goog-user-project' header, along with a project ID, as in the following example:
This header is required when accessing a bucket that has enabled Requester Pays and is optional otherwise.
Project members and permissions
For each project, you can use Identity and Access Management (IAM) to add team members who can manage and work on your project. IAM allows you to specify each team member's role or roles: different roles have permissions that allow a member to do different things within your project.
While many IAM roles can be set at both the project-level (thus applying to all buckets in the project) or the bucket-level (thus applying only to an individual bucket), there are several roles that you can only apply to a project. These roles are primitive roles. Primitive roles have the following properties for Cloud Storage:
|Role||Intrinsic Behavior||Modifiable Behavior|
||Members with this role can list buckets in the project, as well as list and get HMAC keys in the project.||
||Members with this role can list, create and delete buckets in the project, as well as have full control over HMAC keys in the project.||
||Members with this role can list, create and delete buckets in the project, as well as have full control over HMAC keys in the project. Within Google Cloud more generally, members with
For a list of available roles that apply to Cloud Storage, see Cloud Storage IAM roles.
For instructions for adding, viewing, and removing members from roles at the project level, see Using IAM with projects.
As illustrated in the Modifiable Behavior column above, project team members may have additional access beyond that granted intrinsically by the primitive IAM roles. This additional access comes from two sources:
IAM roles applied to buckets: When a user creates a bucket, IAM roles are applied to it by default. You can edit this access once the bucket is created.
Access Control Lists (ACLs) applied to objects: When a user creates an object, an ACL is applied to it. The ACL can either be specified explicitly or applied by default. In either case, the ACL grants access specifically to the created object.
Note that in both cases, you can grant access to both individual users and all holders of a primitive role. Moreover, the access granted may be greater than the access that a user has in general for project, but not more restricted.
Service accounts allow applications to authenticate and access Google Cloud resources and services. For example, you can create a service account that your Compute Engine instances use to access objects stored in Cloud Storage buckets.
Service accounts are created within a project and have a unique email address that identifies them. While most service accounts are created and managed by a user, some service accounts are automatically created and managed by Google Cloud services. Cloud Storage creates one such service account with an email address that has the following format:
[PROJECT_NUMBER] is the project number of the project that owns
the service account.
Uses with Cloud Storage
The following features use Cloud Storage service accounts:
Examples of actions that non-Cloud Storage service accounts can take which use Cloud Storage resources:
- Performing Storage Transfer Service transfers.
- Moving data to/from Cloud SQL instances.
- Creating signed URLs.