Storage Transfer Service uses a
Google-managed service account,
known as a service agent,
to move data from a Cloud Storage source bucket. This service agent
is created the first time that you call
googleServiceAccounts.get.
The source bucket does not need to belong to the same project as the service agent. The steps are the same regardless of which project the bucket is in.
User permissions
In order to grant the required permissions to the service agent, you must have the relevant permissions on the source bucket:
- storage.buckets.getIamPolicy
- storage.buckets.setIamPolicy
The Storage Legacy Bucket Owner role (roles/storage.legacyBucketOwner) or
the Storage Admin role (roles/storage.admin) provide the required
permissions.
Auto-granting permissions in the Google Cloud console
If you're using the Google Cloud console to create your transfer, and have the permissions listed in User permissions, the service agent will automatically be granted the required permissions on your source bucket.
You can skip the steps on this page and go directly to creating a transfer.
Required permissions
The service agent must have the following permissions for the source bucket:
| Permission | Description | 
|---|---|
| storage.buckets.get | Allows the service agent to get the location of the bucket. | 
| storage.objects.list | Allows the service agent to list objects in the bucket. | 
| storage.objects.get | Allows the service agent to read objects in the bucket. | 
| storage.objects.create | Allows the service agent to create objects in the bucket. Required if the transfer is to a file system. Storage Transfer Service creates and
          populates two folders in the source bucket:  | 
| storage.objects.delete | Allows the service agent to delete objects in the bucket. Required
        if you set deleteObjectsFromSourceAfterTransfertotrue. | 
The following predefined roles together grant the required permissions:
- One of:
- Storage Object Viewer (roles/storage.objectViewer) if the transfer is to another Cloud Storage bucket.
- Storage Object Creator (roles/storage.objectCreator) if the transfer is to a file system.
 
- Storage Object Viewer (
- Plus one of:
- Storage Legacy Bucket Writer (roles/storage.legacyBucketWriter) if object delete permission is required.
- Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) if object delete permission is not required.
 
- Storage Legacy Bucket Writer (
Any Cloud Storage role marked as a legacy role can only be granted at the
bucket level.
For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.
For object ACLs when ACL_PRESERVE is set, the Storage Legacy Object Owner role (roles/storage.legacyObjectOwner) is additionally required for the source object. For ACL_PRESERVE, manually add the service account to have the Storage Legacy Object Owner role to give the source object permission storage.objects.getIamPolicy.
Grant the required permissions
To grant the required permissions to the service agent, follow the steps below.
Find the service agent's email
- Go to the - googleServiceAccounts.getreference page.- An interactive panel opens, titled Try this method. 
- In the panel, under Request parameters, enter your project ID. The project you specify here must be the project you're using to manage Storage Transfer Service, which might be different from the source bucket's project. 
- Click Execute. - Your service agent's email is returned as the value of - accountEmail. Copy this value.- The service agent's email uses the format - project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com.
Add the service agent to a bucket-level policy
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
 
- Click the Bucket overflow menu () associated with the bucket to which you want to grant a principal a role. 
- Choose Edit access. 
- Click the + Add principal button. 
- In the New principals field, enter your service agent's account email. 
- Select - Storage Object Vieweror- Storage Object Creatorfrom the Select a role drop-down menu.
- Click Add another role. 
- Select either - Storage Legacy Bucket Writeror- Storage Legacy Bucket Reader.
- Click Save. 
gcloud
Use the gcloud storage buckets add-iam-policy-binding command:
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME \ --member=serviceAccount:YOUR_AGENT_EMAIL --role=roles/storage.objectViewer
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME \ --member=serviceAccount:YOUR_AGENT_EMAIL --role=roles/storage.legacyBucketReader
Where:
- BUCKET_NAMEis the name of the bucket you are granting the principal access to. For example,- my-bucket.
- YOUR_AGENT_EMAILis the agent account email you copied in Find the service agent's email.
Code samples
  
  
  
    
  
 
      
        
          To learn how to install and use the client library for Cloud Storage, see
          Cloud Storage client libraries.
        
      
      
  For more information, see the
  Cloud Storage C++ API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
        
          To learn how to install and use the client library for Cloud Storage, see
          Cloud Storage client libraries.
        
      
      
  For more information, see the
  Cloud Storage C# API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
        
          To learn how to install and use the client library for Cloud Storage, see
          Cloud Storage client libraries.
        
      
      
  For more information, see the
  Cloud Storage Go API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
        
          To learn how to install and use the client library for Cloud Storage, see
          Cloud Storage client libraries.
        
      
      
  For more information, see the
  Cloud Storage Java API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
        
          To learn how to install and use the client library for Cloud Storage, see
          Cloud Storage client libraries.
        
      
      
  For more information, see the
  Cloud Storage Node.js API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
        
          To learn how to install and use the client library for Cloud Storage, see
          Cloud Storage client libraries.
        
      
      
  For more information, see the
  Cloud Storage PHP API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
        
          To learn how to install and use the client library for Cloud Storage, see
          Cloud Storage client libraries.
        
      
      
  For more information, see the
  Cloud Storage Python API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
        
          To learn how to install and use the client library for Cloud Storage, see
          Cloud Storage client libraries.
        
      
      
  For more information, see the
  Cloud Storage Ruby API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
    C++
  
  
    
    C#
  
  
    
    Go
  
  
    
    Java
  
  
    
    Node.js
  
  
    
    PHP
  
  
    
    Python
  
  
    
    Ruby
  
  
    
    
JSON
- Have gcloud CLI installed and initialized, which lets you generate an access token for the - Authorizationheader.
- Create a JSON file that contains the following information: - { "bindings":[ { "role": "roles/storage.objectViewer", "members":[ "YOUR_AGENT_EMAIL" ] }, { "role": "roles/storage.legacyBucketReader", "members":[ "YOUR_AGENT_EMAIL" ] } ] } - Where: - YOUR_AGENT_EMAILis the agent account email you copied in Find the service agent's email.
 
- Use - cURLto call the JSON API with a- PUT setIamPolicyrequest:- curl -X PUT --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam" - Where: - JSON_FILE_NAMEis the path for the file that you created in Step 2.
- OAUTH2_TOKENis the access token you generated in Step 1.
- BUCKET_NAMEis the name of the bucket to which you want to give the principal access. For example,- my-bucket.