This document provides information about Identity and Access Management (IAM) roles and
permissions for Cloud Storage.
Predefined roles
The following table describesIdentity and Access Management (IAM)roles
that are associated with Cloud Storage and lists the
permissions that are contained in each role. Unless otherwise noted, these roles
can be applied either to projects, buckets, or managed folders. However, you cangrant legacy roles only to individual buckets.
Grants permission to view buckets and their metadata, excluding IAM policies.
storage.buckets.get
storage.buckets.list
Storage Express Mode Service InputBeta
(roles/storage.expressModeServiceInput)
Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.update
Storage Express Mode Service OutputBeta
(roles/storage.expressModeServiceOutput)
Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.
storage.objects.delete
storage.objects.get
storage.objects.list
Storage Express Mode User AccessBeta
(roles/storage.expressModeUserAccess)
Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.
orgpolicy.policy.get
storage.buckets.get
storage.buckets.list
storage.multipartUploads.*
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.restore
storage.objects.update
Storage Folder Admin
(roles/storage.folderAdmin)
Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename
storage.managedFolders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy
storage.multipartUploads.*
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.*
storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext
Storage HMAC Key Admin
(roles/storage.hmacKeyAdmin)
Full control of Cloud Storage HMAC keys.
firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*
storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update
Storage Insights Collector Service
(roles/storage.insightsCollectorService)
Read-only access to Cloud Storage Inventory metadata for Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.buckets.getObjectInsights
Storage Legacy Bucket Owner
(roles/storage.legacyBucketOwner)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read and edit bucket metadata, including allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, seeIAM relation to ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.anywhereCaches.*
storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update
storage.bucketOperations.*
storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.folders.*
storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename
storage.managedFolders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy
storage.multipartUploads.*
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.list
storage.objects.restore
storage.objects.setRetention
storage.objects.updateContext
Storage Legacy Bucket Reader
(roles/storage.legacyBucketReader)
Grants permission to list a bucket's contents and read bucket metadata,
excluding allow policies. Also grants permission to read object metadata,
excluding allow policies, when listing objects.
Use of this role is also reflected in the bucket's ACLs. For more
information, seeIAM relation to ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.buckets.get
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.list
Storage Legacy Bucket Writer
(roles/storage.legacyBucketWriter)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read bucket metadata, excluding allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, seeIAM relation to ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.buckets.get
storage.folders.*
storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Object Owner
(roles/storage.legacyObjectOwner)
Grants permission to view and edit objects and their metadata, including
ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.objects.createContext
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.overrideUnlockedRetention
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext
Storage Legacy Object Reader
(roles/storage.legacyObjectReader)
Grants permission to view objects and their metadata, excluding ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.objects.get
Storage Object Admin
(roles/storage.objectAdmin)
Grants full control of objects, including listing, creating, viewing,
and deleting objects.
Lowest-level resources where you can grant this role:
Bucket
monitoring.timeSeries.create
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.*
storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext
Storage Object Creator
(roles/storage.objectCreator)
Allows users to create objects. Does not give permission to view,
delete, or overwrite objects.
Lowest-level resources where you can grant this role:
Bucket
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.create
storage.managedFolders.create
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.listParts
storage.objects.create
storage.objects.createContext
Storage Object User
(roles/storage.objectUser)
Access to create, read, update and delete objects and multipart uploads in GCS.
monitoring.timeSeries.create
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.list
storage.objects.move
storage.objects.restore
storage.objects.update
storage.objects.updateContext
Storage Object Viewer
(roles/storage.objectViewer)
Grants access to view objects and their metadata, excluding ACLs. Can
also list the objects in a bucket.
Lowest-level resources where you can grant this role:
Bucket
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Predefined Storage Insights roles
The following table describesIAMroles
that are associated with Storage Insights and lists the
permissions that are contained in each role.
Role
Permissions
Storage Insights Admin
(roles/storageinsights.admin)
Full access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.*
storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update
storageinsights.locations.get
storageinsights.locations.list
storageinsights.operations.cancel
storageinsights.operations.delete
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.create
storageinsights.reportConfigs.delete
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportConfigs.update
storageinsights.reportDetails.get
storageinsights.reportDetails.list
Storage Insights Analyst
(roles/storageinsights.analyst)
Data access to Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.locations.*
storageinsights.locations.get
storageinsights.locations.list
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportDetails.*
storageinsights.reportDetails.get
storageinsights.reportDetails.list
StorageInsights Service Agent
(roles/storageinsights.serviceAgent)
Permissions for Insights to write reports into customer project
bigquery.datasets.create
serviceusage.services.use
storageinsights.reportDetails.list
Storage Insights Viewer
(roles/storageinsights.viewer)
Read-only access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.list
storageinsights.locations.*
storageinsights.locations.get
storageinsights.locations.list
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportDetails.*
storageinsights.reportDetails.get
storageinsights.reportDetails.list
Basic roles
Basic roles are roles that existed prior to IAM. These roles have
unique characteristics:
Basic roles can only be granted for an entire project, not for individual
buckets within the project. Like other roles that you grant for a project,
basic roles apply to all buckets and objects in the project.
Basic roles contain additional permissions for other Google Cloud
services that are not covered in this section. Seebasic rolesfor a
general discussion of the permissions that basic roles grant.
Each basic role has aconvenience valuethat lets you use the basic
role as if it were a group. When used in this way, any principal that has the
basic role is considered to be part of the group. Everyone in the group gets
additional access for resources based on the access the convenience value has.
Convenience values can be used when granting roles for buckets.
Convenience values can be used when setting ACLs on objects.
Basic roles don't intrinsically give all of the access to
Cloud Storage resources that their names imply. Instead, they give
a portion of the expected access intrinsically and the rest of the expected
access through the use of convenience values. Because convenience values can
be manually added or removed like any other IAM principal, it
is possible to revoke access that principals might otherwise expect to have.
For a discussion of additional access that principals with basic roles
typically gain due to convenience values, seemodifiable behavior.
Intrinsic permissions
The following table describes the Cloud Storage permissions that are
always associated with each basic role.
Role
Description
Cloud Storage Permissions
Viewer(roles/viewer)
Grants permission to list buckets in the project; view bucket
metadata when listing (excluding ACLs); and list and get HMAC keys in
the project.
Grants permission to create, list, and delete buckets in the project;
view bucket metadata when listing (excluding ACLs); and control HMAC
keys in the project.
Grants permission to create, list, and delete buckets in the
project; view bucket metadata when listing (excluding ACLs); create,
delete, and list tag bindings; and control HMAC keys in the project; Enable, disable, update, and get the Storage Intelligence configuration on a project, a folder, or an organization.
Within Google Cloud more generally, principals with
this role can perform administrative tasks such as
changing principals' roles for the project or changing billing.
Principals granted basic roles often have additional access to a project's
buckets and objects due toconvenience values. When a bucket is created,
convenience values are granted certain bucket-level access, but you can later
edit your bucket IAM policies and your object ACLs to remove or
change the access.
When you create a bucket that hasuniform bucket-level accessenabled, the
following access is granted via convenience values:
Principals grantedroles/viewergain theroles/storage.legacyBucketReaderandroles/storage.legacyObjectReaderroles for the bucket.
Principals grantedroles/editorgain theroles/storage.legacyBucketOwnerandroles/storage.legacyObjectOwnerroles for the bucket.
Principals grantedroles/ownergain theroles/storage.legacyBucketOwnerandroles/storage.legacyObjectOwnerroles for the bucket.
When you create a bucket that does not have uniform bucket-level access enabled, the
following access is granted using convenience values:
Principals grantedroles/viewergain theroles/storage.legacyBucketReaderrole for the bucket.
Principals grantedroles/editorgain theroles/storage.legacyBucketOwnerrole for the bucket.
Principals grantedroles/ownergain theroles/storage.legacyBucketOwnerrole for the bucket.
Additionally, the bucket has adefault object Access Control List (ACL).
This default ACL is often applied to new objects in the bucket and often
grants additional access to convenience values.
Custom roles
You might want to define your own roles which contain bundles of permissions that
you specify. To support this, IAM offerscustom roles.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-11-13 UTC."],[],[]]
