Predefined roles
The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Storage and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to projects, buckets, or managed folders.
To learn how to control access to buckets, see use IAM permissions. To learn how to control access to managed folders, see use IAM for managed folders.
Role | Description | Permissions |
---|---|---|
Storage Object Creator
(roles/storage.objectCreator ) |
Allows users to create objects, folders, and managed folders. Does not give permission to view, delete, or replace objects. Does not give permission to get object access control lists (ACLs) or set object ACLs as part of an object update request. | orgpolicy.policy.get 1resourcemanager.projects.get 2resourcemanager.projects.list 2storage.objects.create storage.folders.create storage.managedFolders.create storage.multipartUploads.create storage.multipartUploads.abort storage.multipartUploads.listParts |
Storage Object Viewer
(roles/storage.objectViewer ) |
Grants access to view objects and their metadata,
excluding ACLs. Can also list the objects, folders, and managed folders in a bucket. |
resourcemanager.projects.get 2resourcemanager.projects.list 2storage.folders.get storage.folders.list storage.managedFolders.get storage.managedFolders.list storage.objects.get storage.objects.list |
Storage Object User
(roles/storage.objectUser ) |
Grants access to create, view, list, update, and delete objects, folders, and managed folders, along with their metadata. Does not give permission to get or set ACLs or IAM policies. | orgpolicy.policy.get 1resourcemanager.projects.get 2resourcemanager.projects.list 2storage.folders.* storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.list storage.managedFolders.get storage.multipartUploads.* storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.restore storage.objects.update |
Storage Object Admin
(roles/storage.objectAdmin ) |
Grants full control over objects and folders, including listing, creating, viewing, renaming, and deleting objects and folders, as well as setting object ACLs. Also grants access to create, delete, get, and list managed folders. | orgpolicy.policy.get 1resourcemanager.projects.get 2resourcemanager.projects.list 2storage.folders.* storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.objects.* storage.multipartUploads.* |
Storage Folder Admin
(roles/storage.folderAdmin ) |
Grants full control over objects, folders, and managed folders, including listing, creating, viewing, deleting, and managing IAM permissions. | orgpolicy.policy.get 1resourcemanager.projects.get 2resourcemanager.projects.list 2storage.folders.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Storage HMAC Key Admin
(roles/storage.hmacKeyAdmin ) |
Full control over HMAC keys in a project. This role can only be applied to a project. | orgpolicy.policy.get 1storage.hmacKeys.* |
Storage Admin (roles/storage.admin ) |
Grants full control of buckets, folders, managed folders, Recommender recommendations, and objects, including getting and setting object ACLs or IAM policies. Also grants full control of long-running operations. When applied to an individual bucket, control applies only to the specified bucket and the managed folders, objects, and long-running operations within the bucket. |
firebase.projects.get orgpolicy.policy.get 1resourcemanager.projects.get 2resourcemanager.projects.list 2storage.buckets.* storage.bucketOperations.* storage.folders.* storage.managedFolders.* storage.objects.* storage.multipartUploads.* recommender.storageBucketSoftDeleteInsights.* recommender.storageBucketSoftDeleteRecommendations.* |
Storage Insights Admin (roles/storageinsights.admin ) |
Grants full control of Storage Insights inventory reports and configurations. | cloudresourcemanager.projects.get cloudresourcemanager.projects.list storageinsights.reportConfigs.* storageinsights.reportDetails.* |
Storage Insights Viewer (roles/storageinsights.viewer ) |
Grants read-only access to Storage Insights inventory reports and configurations. | cloudresourcemanager.projects.get cloudresourcemanager.projects.list storageinsights.reportConfigs.list storageinsights.reportConfigs.get storageinsights.reportDetails.list storageinsights.reportDetails.get |
Storage Insights Collector Service (roles/storage.insightsCollectorService ) |
Grants read access to object metadata in inventory reports. | resourcemanager.projects.get resourcemanager.projects.list storage.buckets.getObjectInsights storage.buckets.get |
1 The orgpolicy.policy.get
permission allows principals
to know the organization policy constraints that a project is subject to.
This permission is currently only effective if the role is
granted at the project level or above.
2 For more information about the
resourcemanager.projects.*
permissions, see
Access control for projects with IAM.
Basic roles
Basic roles are roles that existed prior to IAM. These roles have unique characteristics:
Basic roles can only be granted for an entire project, not for individual buckets within the project. Like other roles that you grant for a project, basic roles apply to all buckets and objects in the project.
Basic roles contain additional permissions for other Google Cloud services that are not covered in this section. See basic roles for a general discussion of the permissions that basic roles grant.
Each basic role has a convenience value that lets you use the basic role as if it were a group. When used in this way, any principal that has the basic role is considered to be part of the group. Everyone in the group gets additional access for resources based on the access the convenience value has.
Convenience values can be used when granting roles for buckets.
Convenience values can be used when setting ACLs on objects.
Basic roles don't intrinsically give all of the access to Cloud Storage resources that their names imply. Instead, they give a portion of the expected access intrinsically and the rest of the expected access through the use of convenience values. Because convenience values can be manually added or removed like any other IAM principal, it is possible to revoke access that principals might otherwise expect to have.
For a discussion of additional access that principals with basic roles typically gain due to convenience values, see modifiable behavior.
Intrinsic permissions
The following table describes the Cloud Storage permissions that are always associated with each basic role.
Role | Description | Cloud Storage Permissions |
---|---|---|
Viewer (roles/viewer ) |
Grants permission to list buckets in the project; view bucket metadata when listing (excluding ACLs); and list and get HMAC keys in the project. | storage.buckets.getIpFilter storage.buckets.list storage.hmacKeys.get storage.hmacKeys.list |
Editor (roles/editor ) |
Grants permission to create, list, and delete buckets in the project; view bucket metadata when listing (excluding ACLs); and control HMAC keys in the project. | storage.buckets.create storage.buckets.delete storage.buckets.list storage.hmacKeys.* |
Owner (roles/owner ) |
Grants permission to create, list, and delete buckets in the project; view bucket metadata when listing (excluding ACLs); create, delete, and list tag bindings; and control HMAC keys in the project. Within Google Cloud more generally, principals with this role can perform administrative tasks such as changing principals' roles for the project or changing billing. |
storage.buckets.create storage.buckets.delete storage.buckets.list storage.buckets.createTagBinding storage.buckets.deleteTagBinding storage.buckets.listEffectiveTags storage.buckets.listTagBindings storage.buckets.setIpFilter storage.hmacKeys.* |
Modifiable behavior
Principals granted basic roles often have additional access to a project's buckets and objects due to convenience values. When a bucket is created, convenience values are granted certain bucket-level access, but you can later edit your bucket IAM policies and your object ACLs to remove or change the access.
When you create a bucket that has uniform bucket-level access enabled, the following access is granted via convenience values:
Principals granted
roles/viewer
gain theroles/storage.legacyBucketReader
androles/storage.legacyObjectReader
roles for the bucket.Principals granted
roles/editor
gain theroles/storage.legacyBucketOwner
androles/storage.legacyObjectOwner
roles for the bucket.Principals granted
roles/owner
gain theroles/storage.legacyBucketOwner
androles/storage.legacyObjectOwner
roles for the bucket.
When you create a bucket that does not have uniform bucket-level access enabled, the following access is granted using convenience values:
Principals granted
roles/viewer
gain theroles/storage.legacyBucketReader
role for the bucket.Principals granted
roles/editor
gain theroles/storage.legacyBucketOwner
role for the bucket.Principals granted
roles/owner
gain theroles/storage.legacyBucketOwner
role for the bucket.Additionally, the bucket has a default object Access Control List (ACL). This default ACL is often applied to new objects in the bucket and often grants additional access to convenience values.
Predefined legacy roles
The following table lists IAM roles that are equivalent to Access Control List (ACL) permissions. You can grant legacy roles only for individual buckets, not for projects.
Role | Description | Permissions |
---|---|---|
Storage Legacy Object Reader
(roles/storage.legacyObjectReader ) |
Grants permission to view objects and their metadata, excluding ACLs. | storage.objects.get |
Storage Legacy Object Owner
(roles/storage.legacyObjectOwner ) |
Grants permission to view and edit objects and their metadata, including ACLs. | storage.objects.get storage.objects.update storage.objects.setRetention storage.objects.overrideUnlockedRetention storage.objects.setIamPolicy storage.objects.getIamPolicy |
Storage Legacy Bucket Reader
(roles/storage.legacyBucketReader ) |
Grants permission to list a bucket's contents and read bucket
metadata, excluding IAM policies. Also grants permission
to read object metadata when listing objects and managed folders (excluding
IAM policies).
Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information. |
storage.buckets.get storage.objects.list storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.list |
Storage Legacy Bucket Writer
(roles/storage.legacyBucketWriter ) |
Grants permission to create, replace, list, and delete objects and
managed folders; create objects that have a retention configuration;
read object and managed folder metadata when listing (excluding
IAM policies); and read bucket metadata, excluding
IAM policies.
Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information. |
storage.buckets.get storage.objects.list storage.objects.create storage.objects.delete storage.objects.restore storage.objects.setRetention storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* |
Storage Legacy Bucket Owner
(roles/storage.legacyBucketOwner ) |
Grants permission to create, replace, list, and delete objects and
managed folders; create objects that have a retention configuration;
create, delete, and list tag bindings; read object metadata when listing
(excluding IAM policies); read managed folder metadata
when listing (including IAM policies); read and edit
bucket metadata (including IAM policies); and manage
long-running operations.
Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information. |
storage.buckets.get storage.buckets.createTagBinding storage.buckets.deleteTagBinding storage.buckets.listEffectiveTags storage.buckets.listTagBindings storage.buckets.update storage.buckets.enableObjectRetention storage.buckets.restore storage.buckets.setIamPolicy storage.buckets.getIamPolicy storage.bucketOperations.* storage.managedFolders.* storage.objects.list storage.objects.create storage.objects.delete storage.objects.restore storage.objects.setRetention storage.multipartUploads.* |
Custom roles
You might want to define your own roles which contain bundles of permissions that you specify. To support this, IAM offers custom roles.
What's next
Use IAM permissions to control access to buckets and objects.
Learn about each IAM permission for Cloud Storage.
See available IAM references for Cloud Storage, such as which IAM permissions allow users to perform actions with various tools and APIs.
For a reference of other Google Cloud roles, see Understanding Roles.