IAM roles for Cloud Storage (original) (raw)
Storage Admin
(roles/storage.admin)
Grants full control of objects and buckets.
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
Lowest-level resources where you can grant this role:
- Bucket
cloudaicompanion.instances.completeTask
cloudkms.keyHandles.*
cloudkms.keyHandles.createcloudkms.keyHandles.getcloudkms.keyHandles.list
cloudkms.operations.get
cloudkms.projects.showEffectiveAutokeyConfig
firebase.projects.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.*
monitoring.timeSeries.createmonitoring.timeSeries.list
orgpolicy.policy.get
recommender.iamPolicyInsights.*
recommender.iamPolicyInsights.getrecommender.iamPolicyInsights.listrecommender.iamPolicyInsights.update
recommender.iamPolicyRecommendations.*
recommender.iamPolicyRecommendations.getrecommender.iamPolicyRecommendations.listrecommender.iamPolicyRecommendations.update
recommender.storageBucketSoftDeleteInsights.*
recommender.storageBucketSoftDeleteInsights.getrecommender.storageBucketSoftDeleteInsights.listrecommender.storageBucketSoftDeleteInsights.update
recommender.storageBucketSoftDeleteRecommendations.*
recommender.storageBucketSoftDeleteRecommendations.getrecommender.storageBucketSoftDeleteRecommendations.listrecommender.storageBucketSoftDeleteRecommendations.update
resourcemanager.hierarchyNodes.listEffectiveTags
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.anywhereCaches.createstorage.anywhereCaches.disablestorage.anywhereCaches.getstorage.anywhereCaches.liststorage.anywhereCaches.pausestorage.anywhereCaches.resumestorage.anywhereCaches.update
storage.bucketOperations.*
storage.bucketOperations.cancelstorage.bucketOperations.getstorage.bucketOperations.list
storage.buckets.*
storage.buckets.createstorage.buckets.createTagBindingstorage.buckets.deletestorage.buckets.deleteTagBindingstorage.buckets.enableObjectRetentionstorage.buckets.getstorage.buckets.getIamPolicystorage.buckets.getIpFilterstorage.buckets.getObjectInsightsstorage.buckets.liststorage.buckets.listEffectiveTagsstorage.buckets.listTagBindingsstorage.buckets.relocatestorage.buckets.restorestorage.buckets.setIamPolicystorage.buckets.setIpFilterstorage.buckets.updatestorage.buckets.viewIntelligenceDetails
storage.featureConfigs.*
storage.featureConfigs.createstorage.featureConfigs.deletestorage.featureConfigs.getstorage.featureConfigs.liststorage.featureConfigs.update
storage.folders.*
storage.folders.createstorage.folders.deletestorage.folders.getstorage.folders.liststorage.folders.rename
storage.intelligenceConfigs.*
storage.intelligenceConfigs.getstorage.intelligenceConfigs.update
storage.managedFolders.*
storage.managedFolders.createstorage.managedFolders.deletestorage.managedFolders.getstorage.managedFolders.getIamPolicystorage.managedFolders.liststorage.managedFolders.setIamPolicy
storage.multipartUploads.*
storage.multipartUploads.abortstorage.multipartUploads.createstorage.multipartUploads.liststorage.multipartUploads.listParts
storage.objects.*
storage.objects.createstorage.objects.createContextstorage.objects.deletestorage.objects.deleteContextstorage.objects.getstorage.objects.getIamPolicystorage.objects.liststorage.objects.movestorage.objects.overrideUnlockedRetentionstorage.objects.restorestorage.objects.setIamPolicystorage.objects.setRetentionstorage.objects.updatestorage.objects.updateContext
storagebatchoperations.*
storagebatchoperations.bucketOperations.getstoragebatchoperations.bucketOperations.liststoragebatchoperations.jobs.cancelstoragebatchoperations.jobs.createstoragebatchoperations.jobs.deletestoragebatchoperations.jobs.getstoragebatchoperations.jobs.liststoragebatchoperations.locations.getstoragebatchoperations.locations.liststoragebatchoperations.operations.cancelstoragebatchoperations.operations.deletestoragebatchoperations.operations.getstoragebatchoperations.operations.list
Storage Bucket ViewerBeta
(roles/storage.bucketViewer)
Grants permission to view buckets and their metadata, excluding IAM policies.
storage.buckets.get
storage.buckets.list
Storage Editor
(roles/storage.editor)
Editor role for storage
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.viewIntelligenceDetails
storage.featureConfigs.*
storage.featureConfigs.createstorage.featureConfigs.deletestorage.featureConfigs.getstorage.featureConfigs.liststorage.featureConfigs.update
storage.folders.*
storage.folders.createstorage.folders.deletestorage.folders.getstorage.folders.liststorage.folders.rename
storage.hmacKeys.*
storage.hmacKeys.createstorage.hmacKeys.deletestorage.hmacKeys.getstorage.hmacKeys.liststorage.hmacKeys.update
storage.intelligenceConfigs.get
Storage Folder Admin
(roles/storage.folderAdmin)
Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.folders.createstorage.folders.deletestorage.folders.getstorage.folders.liststorage.folders.rename
storage.managedFolders.*
storage.managedFolders.createstorage.managedFolders.deletestorage.managedFolders.getstorage.managedFolders.getIamPolicystorage.managedFolders.liststorage.managedFolders.setIamPolicy
storage.multipartUploads.*
storage.multipartUploads.abortstorage.multipartUploads.createstorage.multipartUploads.liststorage.multipartUploads.listParts
storage.objects.*
storage.objects.createstorage.objects.createContextstorage.objects.deletestorage.objects.deleteContextstorage.objects.getstorage.objects.getIamPolicystorage.objects.liststorage.objects.movestorage.objects.overrideUnlockedRetentionstorage.objects.restorestorage.objects.setIamPolicystorage.objects.setRetentionstorage.objects.updatestorage.objects.updateContext
Storage Legacy Bucket Owner
(roles/storage.legacyBucketOwner)
Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.
Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.
Lowest-level resources where you can grant this role:
- Bucket
storage.anywhereCaches.*
storage.anywhereCaches.createstorage.anywhereCaches.disablestorage.anywhereCaches.getstorage.anywhereCaches.liststorage.anywhereCaches.pausestorage.anywhereCaches.resumestorage.anywhereCaches.update
storage.bucketOperations.*
storage.bucketOperations.cancelstorage.bucketOperations.getstorage.bucketOperations.list
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.folders.*
storage.folders.createstorage.folders.deletestorage.folders.getstorage.folders.liststorage.folders.rename
storage.managedFolders.*
storage.managedFolders.createstorage.managedFolders.deletestorage.managedFolders.getstorage.managedFolders.getIamPolicystorage.managedFolders.liststorage.managedFolders.setIamPolicy
storage.multipartUploads.*
storage.multipartUploads.abortstorage.multipartUploads.createstorage.multipartUploads.liststorage.multipartUploads.listParts
storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.list
storage.objects.restore
storage.objects.setRetention
storage.objects.updateContext
Storage Legacy Bucket Reader
(roles/storage.legacyBucketReader)
Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.
Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.
Lowest-level resources where you can grant this role:
- Bucket
storage.buckets.get
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.list
Storage Legacy Bucket Writer
(roles/storage.legacyBucketWriter)
Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.
Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.
Lowest-level resources where you can grant this role:
- Bucket
storage.buckets.get
storage.folders.*
storage.folders.createstorage.folders.deletestorage.folders.getstorage.folders.liststorage.folders.rename
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.multipartUploads.abortstorage.multipartUploads.createstorage.multipartUploads.liststorage.multipartUploads.listParts
storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Object Owner
(roles/storage.legacyObjectOwner)
Grants permission to view and edit objects and their metadata, including ACLs.
Lowest-level resources where you can grant this role:
- Bucket
storage.objects.createContext
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.overrideUnlockedRetention
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext
Storage Legacy Object Reader
(roles/storage.legacyObjectReader)
Grants permission to view objects and their metadata, excluding ACLs.
Lowest-level resources where you can grant this role:
- Bucket
storage.objects.get
Storage Object Admin
(roles/storage.objectAdmin)
Grants full control of objects, including listing, creating, viewing, and deleting objects.
Lowest-level resources where you can grant this role:
- Bucket
monitoring.timeSeries.create
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.folders.createstorage.folders.deletestorage.folders.getstorage.folders.liststorage.folders.rename
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.multipartUploads.abortstorage.multipartUploads.createstorage.multipartUploads.liststorage.multipartUploads.listParts
storage.objects.*
storage.objects.createstorage.objects.createContextstorage.objects.deletestorage.objects.deleteContextstorage.objects.getstorage.objects.getIamPolicystorage.objects.liststorage.objects.movestorage.objects.overrideUnlockedRetentionstorage.objects.restorestorage.objects.setIamPolicystorage.objects.setRetentionstorage.objects.updatestorage.objects.updateContext
Storage Object Creator
(roles/storage.objectCreator)
Allows users to create objects. Does not give permission to view, delete, or overwrite objects.
Lowest-level resources where you can grant this role:
- Bucket
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.create
storage.managedFolders.create
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.listParts
storage.objects.create
storage.objects.createContext
Storage Object User
(roles/storage.objectUser)
Access to create, read, update and delete objects and multipart uploads in GCS.
monitoring.timeSeries.create
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.folders.createstorage.folders.deletestorage.folders.getstorage.folders.liststorage.folders.rename
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.multipartUploads.abortstorage.multipartUploads.createstorage.multipartUploads.liststorage.multipartUploads.listParts
storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.list
storage.objects.move
storage.objects.restore
storage.objects.update
storage.objects.updateContext
Storage Object Viewer
(roles/storage.objectViewer)
Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.
Lowest-level resources where you can grant this role:
- Bucket
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Storage Viewer
(roles/storage.viewer)
Viewer role for storage
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.viewIntelligenceDetails
storage.featureConfigs.get
storage.featureConfigs.list
storage.folders.get
storage.folders.list
storage.hmacKeys.get
storage.hmacKeys.list
storage.intelligenceConfigs.get
Storage Annotation Generator ServiceBeta
(roles/storage.annotationGeneratorService)
Grants all permissions needed to generate annotations for objects in a bucket.
storage.objects.createContext
storage.objects.deleteContext
storage.objects.get
storage.objects.list
storage.objects.update
storage.objects.updateContext
Storage Express Mode Service InputBeta
(roles/storage.expressModeServiceInput)
Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.update
Storage Express Mode Service OutputBeta
(roles/storage.expressModeServiceOutput)
Grants permission to Express Mode service accounts at a managed folder so they can read objects but not write them on output folders.
storage.objects.delete
storage.objects.get
storage.objects.list
Storage Express Mode User AccessBeta
(roles/storage.expressModeUserAccess)
Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.
orgpolicy.policy.get
storage.buckets.get
storage.buckets.list
storage.multipartUploads.*
storage.multipartUploads.abortstorage.multipartUploads.createstorage.multipartUploads.liststorage.multipartUploads.listParts
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.restore
storage.objects.update
Storage HMAC Key Admin
(roles/storage.hmacKeyAdmin)
Full control of Cloud Storage HMAC keys.
firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*
storage.hmacKeys.createstorage.hmacKeys.deletestorage.hmacKeys.getstorage.hmacKeys.liststorage.hmacKeys.update
Storage Insights Collector Service
(roles/storage.insightsCollectorService)
Read-only access to Cloud Storage Inventory metadata for Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.buckets.getObjectInsights