This page provides an overview of managed folders in Cloud Storage. Managed folders are a type of folder on which you can grant IAM roles, so you have more fine-grained access control over specific groups of objects within a bucket. Managed folders exist as resources within Cloud Storage and are different from simulated folders , which operate with a flat namespace.
IAM for managed folders
When you apply an IAM policy on a managed folder, the access
granted in the policy also applies to any object within that bucket that has the
managed folder's name as a prefix. For example, if you grant a principal the
Storage Object Viewer ( roles/storage.objectViewer
) role on a managed folder
named example-bucket/example-managed-folder/
, the principal can view any
object within example-managed-folder
(such as example-bucket/example-managed-folder/example-object.txt
).
When you nest managed folders, the permissions granted through
IAM policies are applied additively.
Managed folders can only be created in buckets that have uniform bucket-level access enabled.
Read the following pages for more information about managed folders:
-
ManagedFolder reference page for the JSON API
Managed folder names
The name you give to a managed folder must meet the following requirements:
-
Managed folder names can contain any sequence of valid Unicode characters, of length 1-1024 bytes when UTF-8 encoded.
-
Managed folder names cannot contain Carriage Return or Line Feed characters .
-
Managed folder names must end with
/. At most, a managed folder name can have 15/s. In other words, managed folders can be nested up to 15 levels deep. -
Managed folder names cannot start with
.well-known/acme-challenge/. -
Managed folders cannot be named
.or...
It is strongly recommended that you avoid the following in your managed folder names:
-
Control characters that are illegal in XML 1.0 (#x7F–#x84 and #x86–#x9F): these characters cause XML listing issues when you try to list your managed folders.
-
The
[,],*, or?characters: the Google Cloud CLI interprets these characters as wildcards, so including them in managed folder names can make it difficult or impossible to perform wildcard operations with the tool. Additionally,*and?are not valid characters for file names in Windows. -
Sensitive or personally identifiable information (PII): managed folder names are more broadly visible than object data. For example, managed folder names appear in URLs for the object and when listing objects in a bucket.
Considerations
When working with managed folders, note the following considerations:
-
Managed folders can be created in place of simulated folders , which means that you can create a managed folder and name it after an object's prefix, as long as there isn't already a managed folder using that name. For example, you can create a managed folder named
my-folder/, even if you have an existing object namedmy-folder/object.txt. Note that the IAM policy on the managed foldermy-folder/will then apply to all objects that hasmy-folder/as a name prefix. -
You can create child managed folders before the parent managed folder is created. For example, you can create a managed folder named
my-folder-A/my-folder-B/without first creating a managed folder namedmy-folder-A/. -
By default, you can't delete a non-empty managed folder that contains objects or other child managed folders. You can bypass this rule when using the
allowNonEmptyparameter in aDeleteManagedFolder JSON API request . -
Managed folder names are visible in error messages and Cloud Audit Logs when a request to delete a folder that has a managed folder at the same path fails, even without explicit
storage.managedFolders.getorstorage.managedFolders.listpermissions.
What's next
-
Learn about simulated folders .
-
Upload objects to a Cloud Storage bucket.
-
Learn about the best practices for using managed folders .
