The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage XML method on a given resource.
| Method | Resource | Subresource | Required IAM Permissions 1 |
|---|---|---|---|
DELETE
|
bucket
|
storage.buckets.delete
|
|
DELETE
|
object
|
storage.objects.delete
|
|
DELETE
|
object
|
uploadId
|
storage.multipartUploads.abort
|
GET
|
storage.buckets.list
|
||
GET
|
bucket
|
storage.objects.list
|
|
GET
|
bucket
|
acls
3
|
storage.buckets.get
storage.buckets.getIamPolicy
|
GET
|
bucket
|
Non-ACL metadata | storage.buckets.get
|
GET
|
bucket
|
uploads
|
storage.multipartUploads.list
|
GET
|
object
|
storage.objects.get
|
|
GET
|
object
|
acls
3
|
storage.objects.get
storage.objects.getIamPolicy
|
GET
|
object
|
encryption
|
storage.objects.get
|
GET
|
object
|
retention
|
storage.objects.get
|
GET
|
object
|
uploadId
|
storage.multipartUploads.listParts
|
HEAD
|
bucket
|
storage.buckets.get
|
|
HEAD
|
object
|
storage.objects.get
|
|
POST
|
object
|
storage.objects.create
storage.objects.delete
4
storage.objects.setRetention
5
|
|
POST
|
object
|
uploadId
|
storage.multipartUploads.create
storage.objects.create
storage.objects.delete
4
|
POST
|
object
|
uploads
|
storage.multipartUploads.create
storage.objects.create
storage.objects.setRetention
5
|
PUT
|
bucket
|
storage.buckets.create
storage.buckets.enableObjectRetention
6
|
|
PUT
|
bucket
|
acls
3
|
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
|
PUT
|
bucket
|
Non-ACL metadata | storage.buckets.update
|
PUT
7
|
object
|
storage.objects.create
storage.objects.get
2
storage.objects.delete
4
storage.objects.setRetention
5
|
|
PUT
|
object
|
acls
3
|
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
|
PUT
|
object
|
compose
|
storage.objects.create
storage.objects.get
storage.objects.delete
4
storage.objects.setRetention
5
|
PUT
|
object
|
retention
|
storage.objects.setRetention
storage.objects.update
storage.objects.overrideUnlockedRetention
8
|
PUT
|
object
|
uploadId
|
storage.multipartUploads.create
storage.objects.create
|
1
If you use the x-goog-user-project
header
or userProject
query string parameter
in your request, you must have serviceusage.services.use
permission for the project ID that you specify,
in addition to the normal IAM permissions required to make the
request.
2
This permission is required for the source bucket when the request
includes the x-goog-copy-source
header
.
3 This subresource does not apply to buckets with uniform bucket-level access enabled.
4 This permission is only required when the inserted object has the same name as an object that already exists in the bucket.
5
This permission is only required when the request includes the x-goog-object-lock-mode
and x-goog-object-lock-retain-until-date
headers.
6
This permission is only required when the request includes a x-goog-bucket-object-lock-enabled
header set to true
.
7
No permissions are required to make PUT
requests associated with
a resumable upload
.
8
This permission is only required when the request includes a x-goog-bypass-governance-retention
header set to true
.
What's next
- For a list of roles and the permissions they contain, see IAM Roles for Cloud Storage .
