The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage JSON method on a given resource. IAM permissions are bundled together to make roles . You grant roles to users and groups .
For additional methods that only apply to buckets with Uniform bucket-level access disabled, see the ACL methods table .
| Resource | Method | Required IAM Permissions 1 |
|---|---|---|
AnywhereCache
|
create
|
storage.anywhereCaches.create
|
AnywhereCache
|
disable
|
storage.anywhereCaches.disable
|
AnywhereCache
|
get
|
storage.anywhereCaches.get
|
AnywhereCache
|
list
|
storage.anywhereCaches.list
|
AnywhereCache
|
pause
|
storage.anywhereCaches.pause
|
AnywhereCache
|
resume
|
storage.anywhereCaches.resume
|
AnywhereCache
|
update
|
storage.anywhereCaches.update
|
Buckets
|
delete
|
storage.buckets.delete
|
Buckets
|
get
|
storage.buckets.get
storage.buckets.getIamPolicy
2
storage.buckets.getIpFilter
13
storage.anywhereCaches.get
18
|
Buckets
|
getIamPolicy
|
storage.buckets.getIamPolicy
|
Buckets
|
insert
|
storage.buckets.create
storage.buckets.enableObjectRetention
3
storage.buckets.setIpFilter
14
|
Buckets
|
list
|
storage.buckets.list
storage.buckets.getIamPolicy
2
storage.buckets.getIpFilter
13
storage.anywhereCaches.list
|
Buckets
|
listChannels
|
storage.buckets.get
|
Buckets
|
lockRetentionPolicy
|
storage.buckets.update
|
Buckets
|
patch
|
storage.buckets.update
storage.buckets.getIamPolicy
4
storage.buckets.setIamPolicy
5
storage.buckets.setIpFilter
14
storage.buckets.getIpFilter
13
|
Buckets
|
relocate
|
storage.buckets.relocate
|
Buckets
|
setIamPolicy
|
storage.buckets.setIamPolicy
|
Buckets
|
testIamPermissions
|
None |
Buckets
|
update
|
storage.buckets.update
storage.buckets.getIamPolicy
4
storage.buckets.setIamPolicy
5
storage.buckets.setIpFilter
14
storage.buckets.getIpFilter
13
storage.anywhereCaches.update
|
DatasetConfigs
|
delete
|
storageinsights.datasetConfigs.delete
|
DatasetConfigs
|
get
|
storageinsights.datasetConfigs.get
|
DatasetConfigs
|
insert
|
storageinsights.datasetConfigs.create
|
DatasetConfigs
|
list
|
storageinsights.datasetConfigs.list
|
DatasetConfigs
|
linkDataset
|
storageinsights.datasetConfigs.linkDataset
|
DatasetConfigs
|
unlinkDataset
|
storageinsights.datasetConfigs.unlinkDataset
|
DatasetConfigs
|
patch
|
storageinsights.datasetConfigs.update
|
Channels
|
stop
|
None |
Folders
|
get
|
storage.folders.get
|
Folders
|
insert
|
storage.folders.create
|
Folders
|
list
|
storage.folders.list
|
Folders
|
rename
|
storage.folders.rename
storage.folders.create
|
Folders
|
delete
|
storage.folders.delete
|
IntelligenceConfig
|
getIntelligenceConfig
|
storage.intelligenceConfigs.get
|
IntelligenceConfig
|
updateIntelligenceConfig
|
storage.intelligenceConfigs.update
|
Jobs
|
create
|
storagebatchoperations.jobs.create
|
Jobs
|
get
|
storagebatchoperations.jobs.get
storagebatchoperations.operations.get
|
Jobs
|
list
|
storagebatchoperations.jobs.list
storagebatchoperations.operations.list
|
Jobs
|
cancel
|
storagebatchoperations.jobs.cancel
storagebatchoperations.operations.cancel
|
Jobs
|
delete
|
storagebatchoperations.jobs.delete
|
ManagedFolders
|
delete
|
storage.managedfolders.delete
storage.managedfolders.setIamPolicy
10
|
ManagedFolders
|
get
|
storage.managedfolders.get
|
ManagedFolders
|
getIamPolicy
|
storage.managedfolders.getIamPolicy
|
ManagedFolders
|
insert
|
storage.managedfolders.create
|
ManagedFolders
|
list
|
storage.managedfolders.list
|
ManagedFolders
|
update
|
storage.managedfolders.update
|
ManagedFolders
|
setIamPolicy
|
storage.managedfolders.setIamPolicy
|
Notifications
|
delete
|
storage.buckets.update
|
Notifications
|
get
|
storage.buckets.get
|
Notifications
|
insert
|
storage.buckets.update
|
Notifications
|
list
|
storage.buckets.get
|
Objects
|
bulkRestore
|
storage.buckets.restore
storage.objects.create
storage.objects.delete
11
storage.objects.restore
storage.objects.setIamPolicy
6
,12
|
Objects
|
compose
|
storage.objects.get
storage.objects.create
storage.objects.delete
7
storage.objects.getIamPolicy
2
,6
storage.objects.setRetention
8
|
Objects
|
copy
|
storage.objects.get
storage.objects.create
storage.objects.delete
storage.objects.setRetention
|
Objects
|
delete
|
storage.objects.delete
|
Objects
|
get
|
storage.objects.get
storage.objects.getIamPolicy
2
,6
|
Objects
|
insert
|
storage.objects.create
storage.objects.delete
7
storage.objects.setRetention
8
|
Objects
|
list
|
storage.objects.list
storage.objects.getIamPolicy
2
,6
|
Objects
|
move
|
storage.objects.move
15
storage.objects.delete
15
storage.objects.get
15
storage.objects.create
storage.objects.delete
16
storage.folders.create
17
|
Objects
|
patch
|
storage.objects.update
storage.objects.setRetention
8
storage.objects.overrideUnlockedRetention
9
storage.objects.getIamPolicy
4
,6
storage.objects.setIamPolicy
5
,6
|
Objects
|
restore
|
storage.objects.create
storage.objects.delete
7
storage.objects.restore
storage.objects.getIamPolicy
2
,6
storage.objects.setIamPolicy
6
,12
|
Objects
|
rewrite
|
storage.objects.get
storage.objects.create
storage.objects.delete
storage.objects.setRetention
|
Objects
|
update
|
storage.objects.update
storage.objects.setRetention
8
storage.objects.overrideUnlockedRetention
9
storage.objects.getIamPolicy
4
,6
storage.objects.setIamPolicy
5
,6
|
Objects
|
watchAll
|
storage.buckets.update
|
Projects.hmacKeys
|
create
|
storage.hmacKeys.create
|
Projects.hmacKeys
|
delete
|
storage.hmacKeys.delete
|
Projects.hmacKeys
|
get
|
storage.hmacKeys.get
|
Projects.hmacKeys
|
list
|
storage.hmacKeys.list
|
Projects.hmacKeys
|
update
|
storage.hmacKeys.update
|
Projects.serviceAccount
|
get
|
resourceManager.projects.get
|
ReportConfigs
|
delete
|
storageinsights.reportConfigs.delete
|
ReportConfigs
|
get
|
storageinsights.reportConfigs.get
|
ReportConfigs
|
list
|
storageinsights.reportConfigs.list
|
ReportConfigs
|
insert
|
storageinsights.reportConfigs.create
|
ReportConfigs
|
update
|
storageinsights.reportConfigs.update
|
ReportDetails
|
get
|
storageinsights.reportDetails.get
|
ReportDetails
|
list
|
storageinsights.reportDetails.list
|
1
If you use the userProject
parameter or the x-goog-user-project
header
in your request, you must have serviceusage.services.use
permission for the project ID that you specify, in
addition to the normal IAM permissions required to make the
request.
2
This permission is only required if you want to include ACLs
or IAM policies as part of a full
projection. If you don't have
this permission and request a full
projection, you receive only a partial
projection.
3
This permission is only required when the request includes the enableObjectRetention
query parameter.
4 This permission is only required if you want to include ACLs as part of the response.
5 This permission is required if you want to include ACLs or changes to the public access prevention setting as part of the request.
6 This permission does not apply to buckets with uniform bucket-level access enabled.
7 This permission is only required if the request causes an object with the same name to be overwritten.
8
This permission is required when the request body includes the retention
property or when making an UPDATE
request for an object that has an existing retention configuration.
9
This permission is only required when the request includes the
query parameter overrideUnlockedRetention=true
.
10
This permission is only required when the request includes the
query parameter allowNonEmpty=true
.
11
This permission is only required when the request includes the
query parameter allowOverwrite=true
and the request causes an object with the
same name to be overwritten.
12
This permission is only required when the request includes the
query parameter copySourceAcl=true
.
13 This permission is only required if you want to include bucket IP filtering rules as part of the Buckets: get request. If you don't have this permission, you receive only a partial projection.
14 This permission is only required if you want to create, list, delete, and update bucket IP filtering rules .
15
To move an object within a bucket with hierarchical namespace
enabled, you either need storage.objects.delete
and storage.objects.get
permissions, or storage.objects.move
permission if you want to move it without granting read or delete access to the object.
16 This permission is required only if you want to replace an object.
17 This permission is required only if you want to automatically create any missing parent folders.
18 This permission is only required if you want to return caches created with Anywhere Cache.
ACL-related methods
The following table lists the IAM permissions required to run JSON methods that apply specifically to the management of ACLs. These methods only apply to buckets that have Uniform bucket-level access disabled.
| Resource | Method | Required IAM Permissions 1 |
|---|---|---|
BucketAccessControls
|
delete
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
BucketAccessControls
|
get
|
storage.buckets.get
storage.buckets.getIamPolicy
|
BucketAccessControls
|
insert
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
BucketAccessControls
|
list
|
storage.buckets.get
storage.buckets.getIamPolicy
|
BucketAccessControls
|
patch
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
BucketAccessControls
|
update
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
DefaultObjectAccessControls
|
delete
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
DefaultObjectAccessControls
|
get
|
storage.buckets.get
storage.buckets.getIamPolicy
|
DefaultObjectAccessControls
|
insert
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
DefaultObjectAccessControls
|
list
|
storage.buckets.get
storage.buckets.getIamPolicy
|
DefaultObjectAccessControls
|
patch
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
DefaultObjectAccessControls
|
update
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
ObjectAccessControls
|
delete
|
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
|
ObjectAccessControls
|
get
|
storage.objects.get
storage.objects.getIamPolicy
|
ObjectAccessControls
|
insert
|
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
|
ObjectAccessControls
|
list
|
storage.objects.get
storage.objects.getIamPolicy
|
ObjectAccessControls
|
patch
|
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
|
ObjectAccessControls
|
update
|
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
|
1
If you use the userProject
parameter or the x-goog-user-project
header
in your request, you must have serviceusage.services.use
permission for the project ID that you specify,
in addition to the normal IAM permissions required to make the
request.
What's next
-
For a list of roles and the permissions they contain, see IAM Roles for Cloud Storage .
-
Assign IAM roles at the project and bucket level.
