Get IAM members

Get the members from an IAM policy for a Cloud Storage bucket.

Explore further

For detailed documentation that includes this code sample, see the following:

Set and manage IAM policies on buckets

Code sample

C++

For more information, see the Cloud Storage C++ API reference documentation .

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  namespace 
  
 gcs 
  
 = 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 storage 
 ; 
 using 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 StatusOr 
 ; 
 []( 
 gcs 
 :: 
 Client 
  
 client 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 bucket_name 
 ) 
  
 { 
  
 auto 
  
 policy 
  
 = 
  
 client 
 . 
 GetNativeBucketIamPolicy 
 ( 
  
 bucket_name 
 , 
  
 gcs 
 :: 
 RequestedPolicyVersion 
 ( 
 3 
 )); 
  
 if 
  
 ( 
 ! 
 policy 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 policy 
 ). 
 status 
 (); 
  
 std 
 :: 
 cout 
 << 
 "The IAM policy for bucket " 
 << 
 bucket_name 
 << 
 " is " 
 << 
 * 
 policy 
 << 
 " 
 \n 
 " 
 ; 
 }

C#

For more information, see the Cloud Storage C# API reference documentation .

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  using 
  
 Google.Apis.Storage.v1.Data 
 ; 
 using 
  
  Google.Cloud.Storage.V1 
 
 ; 
 using 
  
 System 
 ; 
 public 
  
 class 
  
 ViewBucketIamMembersSample 
 { 
  
 public 
  
 Policy 
  
 ViewBucketIamMembers 
 ( 
 string 
  
 bucketName 
  
 = 
  
 "your-unique-bucket-name" 
 ) 
  
 { 
  
 var 
  
 storage 
  
 = 
  
  StorageClient 
 
 . 
  Create 
 
 (); 
  
 var 
  
 policy 
  
 = 
  
 storage 
 . 
 GetBucketIamPolicy 
 ( 
 bucketName 
 , 
  
 new 
  
  GetBucketIamPolicyOptions 
 
  
 { 
  
 RequestedPolicyVersion 
  
 = 
  
 3 
  
 }); 
  
 foreach 
  
 ( 
 var 
  
 binding 
  
 in 
  
 policy 
 . 
 Bindings 
 ) 
  
 { 
  
 Console 
 . 
 WriteLine 
 ( 
 $"Role: {binding.Role}" 
 ); 
  
 Console 
 . 
 WriteLine 
 ( 
 "Members:" 
 ); 
  
 foreach 
  
 ( 
 var 
  
 member 
  
 in 
  
 binding 
 . 
 Members 
 ) 
  
 { 
  
 Console 
 . 
 WriteLine 
 ( 
 $"{member}" 
 ); 
  
 } 
  
 } 
  
 return 
  
 policy 
 ; 
  
 } 
 }

Go

For more information, see the Cloud Storage Go API reference documentation .

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "time" 
  
 "cloud.google.com/go/iam" 
  
 "cloud.google.com/go/storage" 
 ) 
 // getBucketPolicy gets the bucket IAM policy. 
 func 
  
 getBucketPolicy 
 ( 
 w 
  
 io 
 . 
  Writer 
 
 , 
  
 bucketName 
  
 string 
 ) 
  
 ( 
 * 
 iam 
 . 
  Policy3 
 
 , 
  
 error 
 ) 
  
 { 
  
 // bucketName := "bucket-name" 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 storage 
 . 
 NewClient 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 nil 
 , 
  
 fmt 
 . 
 Errorf 
 ( 
 "storage.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
 Close 
 () 
  
 ctx 
 , 
  
 cancel 
  
 := 
  
 context 
 . 
 WithTimeout 
 ( 
 ctx 
 , 
  
 time 
 . 
 Second 
 * 
 10 
 ) 
  
 defer 
  
 cancel 
 () 
  
 policy 
 , 
  
 err 
  
 := 
  
 client 
 . 
  Bucket 
 
 ( 
 bucketName 
 ). 
  IAM 
 
 (). 
  V3 
 
 (). 
 Policy 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 nil 
 , 
  
 fmt 
 . 
 Errorf 
 ( 
 "Bucket(%q).IAM().V3().Policy: %w" 
 , 
  
 bucketName 
 , 
  
 err 
 ) 
  
 } 
  
 for 
  
 _ 
 , 
  
 binding 
  
 := 
  
 range 
  
 policy 
 . 
 Bindings 
  
 { 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "%q: %q (condition: %v)\n" 
 , 
  
 binding 
 . 
  Role 
 
 , 
  
 binding 
 . 
  Members 
 
 , 
  
 binding 
 . 
 Condition 
 ) 
  
 } 
  
 return 
  
 policy 
 , 
  
 nil 
 }

Java

For more information, see the Cloud Storage Java API reference documentation .

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  import 
  
 com.google.cloud. Binding 
 
 ; 
 import 
  
 com.google.cloud. Policy 
 
 ; 
 import 
  
 com.google.cloud.storage. Storage 
 
 ; 
 import 
  
 com.google.cloud.storage. StorageOptions 
 
 ; 
 public 
  
 class 
 ListBucketIamMembers 
  
 { 
  
 public 
  
 static 
  
 void 
  
 listBucketIamMembers 
 ( 
  String 
 
  
 projectId 
 , 
  
  String 
 
  
 bucketName 
 ) 
  
 { 
  
 // The ID of your GCP project 
  
 // String projectId = "your-project-id"; 
  
 // The ID of your GCS bucket 
  
 // String bucketName = "your-unique-bucket-name"; 
  
 // For more information please read: 
  
 // https://cloud.google.com/storage/docs/access-control/iam 
  
  Storage 
 
  
 storage 
  
 = 
  
  StorageOptions 
 
 . 
 newBuilder 
 (). 
 setProjectId 
 ( 
 projectId 
 ). 
 build 
 (). 
 getService 
 (); 
  
  Policy 
 
  
 policy 
  
 = 
  
 storage 
 . 
  getIamPolicy 
 
 ( 
 bucketName 
 , 
  
 Storage 
 . 
 BucketSourceOption 
 . 
 requestedPolicyVersion 
 ( 
 3 
 )); 
  
 // Print binding information 
  
 for 
  
 ( 
  Binding 
 
  
 binding 
  
 : 
  
 policy 
 . 
  getBindingsList 
 
 ()) 
  
 { 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Role: %s Members: %s\n" 
 , 
  
 binding 
 . 
 getRole 
 (), 
  
 binding 
 . 
 getMembers 
 ()); 
  
 // Print condition if one is set 
  
 boolean 
  
 bindingIsConditional 
  
 = 
  
 binding 
 . 
 getCondition 
 () 
  
 != 
  
 null 
 ; 
  
 if 
  
 ( 
 bindingIsConditional 
 ) 
  
 { 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Condition Title: %s\n" 
 , 
  
 binding 
 . 
 getCondition 
 (). 
 getTitle 
 ()); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Condition Description: %s\n" 
 , 
  
 binding 
 . 
 getCondition 
 (). 
 getDescription 
 ()); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Condition Expression: %s\n" 
 , 
  
 binding 
 . 
 getCondition 
 (). 
 getExpression 
 ()); 
  
 } 
  
 } 
  
 } 
 }

Node.js

For more information, see the Cloud Storage Node.js API reference documentation .

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  /** 
 * TODO(developer): Uncomment the following lines before running the sample. 
 */ 
 // The ID of your GCS bucket 
 // const bucketName = 'your-unique-bucket-name'; 
 // Imports the Google Cloud client library 
 const 
  
 { 
 Storage 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/storage 
' 
 ); 
 // Creates a client 
 const 
  
 storage 
  
 = 
  
 new 
  
 Storage 
 (); 
 async 
  
 function 
  
 viewBucketIamMembers 
 () 
  
 { 
  
 // For more information please read: 
  
 // https://cloud.google.com/storage/docs/access-control/iam 
  
 const 
  
 results 
  
 = 
  
 await 
  
 storage 
  
 . 
 bucket 
 ( 
 bucketName 
 ) 
  
 . 
  iam 
 
 . 
  getPolicy 
 
 ({ 
 requestedPolicyVersion 
 : 
  
 3 
 }); 
  
 const 
  
 bindings 
  
 = 
  
 results 
 [ 
 0 
 ]. 
  bindings 
 
 ; 
  
 console 
 . 
 log 
 ( 
 `Bindings for bucket 
 ${ 
 bucketName 
 } 
 :` 
 ); 
  
 for 
  
 ( 
 const 
  
 binding 
  
 of 
  
 bindings 
 ) 
  
 { 
  
 console 
 . 
 log 
 ( 
 `  Role: 
 ${ 
 binding 
 . 
 role 
 } 
 ` 
 ); 
  
 console 
 . 
 log 
 ( 
 '  Members:' 
 ); 
  
 const 
  
 members 
  
 = 
  
 binding 
 . 
 members 
 ; 
  
 for 
  
 ( 
 const 
  
 member 
  
 of 
  
 members 
 ) 
  
 { 
  
 console 
 . 
 log 
 ( 
 ` 
 ${ 
 member 
 } 
 ` 
 ); 
  
 } 
  
 const 
  
 condition 
  
 = 
  
 binding 
 . 
  condition 
 
 ; 
  
 if 
  
 ( 
 condition 
 ) 
  
 { 
  
 console 
 . 
 log 
 ( 
 '  Condition:' 
 ); 
  
 console 
 . 
 log 
 ( 
 `    Title: 
 ${ 
  condition 
 
 . 
 title 
 } 
 ` 
 ); 
  
 console 
 . 
 log 
 ( 
 `    Description: 
 ${ 
  condition 
 
 . 
 description 
 } 
 ` 
 ); 
  
 console 
 . 
 log 
 ( 
 `    Expression: 
 ${ 
  condition 
 
 . 
 expression 
 } 
 ` 
 ); 
  
 } 
  
 } 
 } 
 viewBucketIamMembers 
 (). 
 catch 
 ( 
 console 
 . 
 error 
 );

PHP

For more information, see the Cloud Storage PHP API reference documentation .

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  use Google\Cloud\Storage\StorageClient; 
 /** 
 * View Bucket IAM members for a given Cloud Storage bucket. 
 * 
 * @param string $bucketName The name of your Cloud Storage bucket. 
 *        (e.g. 'my-bucket') 
 */ 
 function view_bucket_iam_members(string $bucketName): void 
 { 
 $storage = new StorageClient(); 
 $bucket = $storage->bucket($bucketName); 
 $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]); 
 printf('Printing Bucket IAM members for Bucket: %s' . PHP_EOL, $bucketName); 
 printf(PHP_EOL); 
 foreach ($policy['bindings'] as $binding) { 
 printf('Role: %s' . PHP_EOL, $binding['role']); 
 printf('Members:' . PHP_EOL); 
 foreach ($binding['members'] as $member) { 
 printf('  %s' . PHP_EOL, $member); 
 } 
 if (isset($binding['condition'])) { 
 $condition = $binding['condition']; 
 printf('  with condition:' . PHP_EOL); 
 printf('    Title: %s' . PHP_EOL, $condition['title']); 
 printf('    Description: %s' . PHP_EOL, $condition['description']); 
 printf('    Expression: %s' . PHP_EOL, $condition['expression']); 
 } 
 printf(PHP_EOL); 
 } 
 }

Python

For more information, see the Cloud Storage Python API reference documentation .

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  from 
  
 google.cloud 
  
 import 
  storage 
 
 def 
  
 view_bucket_iam_members 
 ( 
 bucket_name 
 ): 
  
 """View IAM Policy for a bucket""" 
 # bucket_name = "your-bucket-name" 
 storage_client 
 = 
  storage 
 
 . 
  Client 
 
 () 
 bucket 
 = 
 storage_client 
 . 
  bucket 
 
 ( 
 bucket_name 
 ) 
 policy 
 = 
 bucket 
 . 
 get_iam_policy 
 ( 
 requested_policy_version 
 = 
 3 
 ) 
 for 
 binding 
 in 
 policy 
 . 
 bindings 
 : 
 print 
 ( 
 f 
 "Role: 
 { 
 binding 
 [ 
 'role' 
 ] 
 } 
 , Members: 
 { 
 binding 
 [ 
 'members' 
 ] 
 } 
 " 
 )

Ruby

For more information, see the Cloud Storage Ruby API reference documentation .

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

  def 
  
 view_bucket_iam_members 
  
 bucket_name 
 : 
  
 # The ID of your GCS bucket 
  
 # bucket_name = "your-unique-bucket-name" 
  
 require 
  
 "google/cloud/storage" 
  
 storage 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  Storage 
 
 . 
  new 
 
  
 bucket 
  
 = 
  
 storage 
 . 
 bucket 
  
 bucket_name 
  
 policy 
  
 = 
  
 bucket 
 . 
  policy 
 
  
 requested_policy_version 
 : 
  
 3 
  
 policy 
 . 
  bindings 
 
 . 
  each 
 
  
 do 
  
 | 
 binding 
 | 
  
 puts 
  
 "Role: 
 #{ 
 binding 
 . 
 role 
 } 
 " 
  
 puts 
  
 "Members: 
 #{ 
 binding 
 . 
  members 
 
 } 
 " 
  
 # if a conditional binding exists print the condition. 
  
 if 
  
 binding 
 . 
  condition 
 
  
 puts 
  
 "Condition Title: 
 #{ 
 binding 
 . 
  condition 
 
 . 
  title 
 
 } 
 " 
  
 puts 
  
 "Condition Description: 
 #{ 
 binding 
 . 
  condition 
 
 . 
 description 
 } 
 " 
  
 puts 
  
 "Condition Expression: 
 #{ 
 binding 
 . 
  condition 
 
 . 
  expression 
 
 } 
 " 
  
 end 
  
 end 
 end

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .

Get IAM members Stay organized with collections Save and categorize content based on your preferences.

Explore further

Code sample

C++

C#

Go

Java

Node.js

PHP

Python

Ruby

What's next

Get IAM members