Storage Transfer Service encrypts your data over an HTTPS session with TLS for both
connections through the public internet, and through private connections (such
as Cloud Interconnect). If you are using Cloud Interconnect,
you can obtain an additional layer of security byusing private API
endpoints.
Protecting Google Cloud resources
Agents usegcloud authto connect to Storage Transfer Service and Cloud Storage
resources used during the transfer. Therefore your Google Cloud resources are
protected using Identity and Access Management and the account that you choose to provision for
transfer agent use. You may also use aservice
account, which can help make
permissions management easier to use.
IAM
Storage Transfer Service supports the following Storage Transfer Servicepredefined IAM roles:
Storage Transfer Admin— Provides all Storage Transfer Service
permissions.
Storage Transfer User— Can submit and monitor jobs, but can't
delete jobs or see admin settings such as agent details or bandwidth
settings.
Storage Transfer Service doesn't support custom IAM roles or theStorage Transfer Viewerpredefined role. Users in either scenario may
not see a polished user interface. If they attempt to load pages they
don't have permissions for, the page will display an error or a blank page.
However, the permitted actions remain restricted.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Protect file system data\n\nYou have several options for protecting the data and resources that you\ntransfer.\n\nProtecting your file system resources\n-------------------------------------\n\nAgents access files from the environment they are running in. This means that\nyou have several ways that you can protect access to your data:\n\n- Using a restricted user or role account to run the agent container.\n\n- Limiting the file systems that are mounted to the agent container.\n\n- Choose NFS mount permissions in accordance with your security policies, such\n as no write access.\n\n- [Restricting agent directory access](/storage-transfer/docs/on-prem-agent-details#restrict-directory-access).\n\n| **Important:** Users able to create transfer jobs can retrieve data from, and download data to, any file system directory that is accessible by the agent. If agents are run as root and are given access to the entire file system, a malicious actor may be able to take over the host. It is strongly recommended that you [restrict agent access](/storage-transfer/docs/on-prem-agent-details#restrict-directory-access) to only necessary directories.\n\nProtecting data in-flight\n-------------------------\n\nStorage Transfer Service encrypts your data over an HTTPS session with TLS for both\nconnections through the public internet, and through private connections (such\nas Cloud Interconnect). If you are using Cloud Interconnect,\nyou can obtain an additional layer of security by [using private API\nendpoints](/storage-transfer/docs/on-prem-agent-details#direct-interconnect).\n| **Note:** Storage Transfer Service does not encrypt data on your behalf, such as in customer-managed encryption keys (CMEK). We only encrypt data in transit.\n\nProtecting Google Cloud resources\n---------------------------------\n\nAgents use `gcloud auth` to connect to Storage Transfer Service and Cloud Storage\nresources used during the transfer. Therefore your Google Cloud resources are\nprotected using Identity and Access Management and the account that you choose to provision for\ntransfer agent use. You may also use a [service\naccount](/storage-transfer/docs/on-prem-agent-details#service-credentials), which can help make\npermissions management easier to use.\n\nIAM\n---\n\nStorage Transfer Service supports the following Storage Transfer Service\n[predefined IAM roles](/storage-transfer/docs/access-control#predefined-roles):\n\n- **Storage Transfer Admin** --- Provides all Storage Transfer Service\n permissions.\n\n- **Storage Transfer User** --- Can submit and monitor jobs, but can't\n delete jobs or see admin settings such as agent details or bandwidth\n settings.\n\nStorage Transfer Service doesn't support custom IAM roles or the\n**Storage Transfer Viewer** predefined role. Users in either scenario may\nnot see a polished user interface. If they attempt to load pages they\ndon't have permissions for, the page will display an error or a blank page.\nHowever, the permitted actions remain restricted."]]
