IAM permissions for Cloud Storage MCP server methods

The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage MCP server method. IAM permissions are bundled together to make roles. You grant roles to users and groups.

Method	Required IAM Permissions
`create_bucket`	`mcp.tools.call` `storage.buckets.create`
`get_object_metadata`	`mcp.tools.call` `storage.objects.get`
`list_buckets`	`mcp.tools.call` `storage.buckets.list`
`list_objects`	`mcp.tools.call` `storage.objects.list`
`read_object`	`mcp.tools.call` `storage.objects.get`
`read_text`	`mcp.tools.call` `storage.objects.get`
`write_text`	`mcp.tools.call` `storage.objects.create`

What's next

For a list of roles and the permissions they contain, see IAM Roles for Cloud Storage.
Assign IAM roles at the project and bucket level.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-04-20 UTC.