Send feedback
  
   
 
  
    
      IAM permissions for Cloud Storage
    
    
      
      
      Stay organized with collections
     
    
      
      Save and categorize content based on your preferences.
     
    
  
  
   
  
    
  
  
    
    
 
 
 
 
 
 
The following tables list the Identity and Access Management (IAM) 
permissions that are associated with Cloud Storage. IAM
permissions are grouped into roles , and you
assign roles to users and groups .
Bucket permissions 
Bucket permission name 
Description 
 
 
storage.buckets.createCreate new buckets in a project. 
 
storage.buckets.createTagBindingCreate a new tag binding to a bucket. 
 
storage.buckets.deleteDelete buckets. 
 
storage.buckets.deleteTagBindingDelete the tag binding on a bucket. 
 
storage.buckets.enableObjectRetentionEnable object retention configurations  on a bucket. 
 
storage.buckets.exemptFromIpFilterExempts the user or service account from IP filtering  rules for bucket-level operations. 
 
storage.buckets.getRead bucket metadata, including listing or reading the Pub/Sub notification configurations on a bucket. This permission alone does not allow you to read IAM policies or IP filtering rules. 
 
storage.buckets.getIamPolicyRead bucket IAM policies. 
 
storage.buckets.getIpFilterLists or reads the IP filtering  rules on a bucket. 
 
storage.buckets.getObjectInsightsRead object metadata in inventory reports  and Storage Insights datasets . 
 
storage.buckets.listList buckets in a project including read bucket metadata. This permission alone does not allow you to list IAM policies or IP filtering rules. 
 
storage.buckets.listEffectiveTagsList all tags associated with a bucket, including tags inherited  from higher in the resource hierarchy, such as from the bucket's project. 
 
storage.buckets.listTagBindingsList tags directly attached to a bucket. 
 
storage.buckets.relocateRelocate buckets  between geographic locations. 
storage.buckets.restoreBulk restore objects that have been soft-deleted . 
 
storage.buckets.setIamPolicyUpdate bucket IAM policies. 
 
storage.buckets.setIpFilterSet IP filtering  rules on a bucket. 
 
storage.buckets.updateUpdate bucket metadata including adding or removing a Pub/Sub notification configuration on a bucket and reading bucket metadata when updating. This permission alone does not allow you to update IAM policies, IP filtering rules or read the IAM policies on a bucket during the update. 
 
 
Object permissions 
Note:  The storage.objects.getIamPolicy and storage.objects.setIamPolicy
permissions don't apply to buckets with uniform bucket-level access  enabled. Note:  In order to replace existing objects, both storage.objects.create
and storage.objects.delete permissions are required. 
Object permission name 
Description 
 
 
storage.objects.createAdd new objects to a bucket. 
 
storage.objects.createContextAttach contexts to an object. 
 
storage.objects.deleteDelete objects. 
 
storage.objects.deleteContextDelete object contexts. 
 
storage.objects.getRead object data and metadata, excluding ACLs. This also returns any contexts attached to the object. 
 
storage.objects.getIamPolicyRead object ACLs, returned as IAM policies. 
 
storage.objects.listList objects in a bucket. Also read object metadata, excluding ACLs, when listing. This also returns any contexts attached to the objects. 
 
storage.objects.moveMove an object within a bucket with hierarchical namespace  enabled. 
 
storage.objects.overrideUnlockedRetentionUse the x-goog-bypass-governance-retention header or the overrideUnlockedRetention query parameter when working with object retention configurations . 
 
storage.objects.restoreRestore objects that have been soft-deleted . 
 
storage.objects.setIamPolicyUpdate object ACLs. 
 
storage.objects.setRetentionAdd or update retentions  for objects. 
 
storage.objects.updateUpdate object metadata, excluding ACLs. Also read object metadata, excluding ACLs, when updating. 
 
storage.objects.updateContextUpdate object contexts. 
 
 
Folder permissions 
Note:  In order to rename folders, storage.folders.rename is required
on the source bucket and storage.folders.create is required on the destination
bucket. 
Folder permission name 
Description 
 
 
storage.folders.createCreate a folder. 
 
storage.folders.deleteDelete a folder. 
 
storage.folders.getRead the metadata of a folder. 
 
storage.folders.listList folders. 
 
storage.folders.renameRename a folder. 
 
 
Managed folder permissions 
Managed folder permission name 
Description 
 
 
storage.managedFolders.createCreate a managed folder. 
 
storage.managedFolders.deleteDelete a managed folder. 
 
storage.managedFolders.getRead a managed folder. 
 
storage.managedFolders.getIamPolicyRead managed folder IAM policies. 
 
storage.managedFolders.listList the managed folders in a bucket or folder. 
 
storage.managedFolders.setIamPolicyUpdate managed folder IAM policies. 
 
 
Anywhere Cache permissions 
Anywhere Cache permission name 
Description 
 
 
storage.anywhereCaches.createCreate a cache using Anywhere Cache. 
 
storage.anywhereCaches.listLists caches using Anywhere Cache. 
 
storage.anywhereCaches.updateUpdate a cache using Anywhere Cache. 
 
storage.anywhereCaches.getGet the metadata of a cache using Anywhere Cache. 
 
storage.anywhereCaches.pausePause a cache using Anywhere Cache. 
 
storage.anywhereCaches.resumeResume a cache using Anywhere Cache. 
 
storage.anywhereCaches.disableDisable a cache using Anywhere Cache. 
 
 
Storage Intelligence permissions 
Storage Intelligence permission name 
Description 
 
 
storage.intelligenceConfigs.updateConfigure Storage Intelligence  on a project, a folder, or an organization. 
 
storage.intelligenceConfigs.getReads the Storage Intelligence  configuration on a project, a folder, or an organization. 
 
 
Storage Insights inventory report permissions 
Inventory report permission name 
Description 
 
 
storageinsights.reportConfigs.createCreate inventory report configurations. 
 
storageinsights.reportConfigs.deleteDelete inventory report configurations. 
 
storageinsights.reportConfigs.getRetrieve inventory report configurations. 
 
storageinsights.reportConfigs.listList inventory report configurations. 
 
storageinsights.reportConfigs.updateModify inventory report configurations. 
 
storageinsights.reportDetails.getRetrieve inventory reports. 
 
storageinsights.reportDetails.listList inventory reports. 
 
 
Storage Insights dataset permissions 
Dataset permission name 
Description 
 
 
storageinsights.datasetConfigs.createCreate dataset configurations. 
 
storageinsights.datasetConfigs.deleteDelete dataset configurations. 
 
storageinsights.datasetConfigs.linkDatasetCreate linked datasets in BigQuery that contain the output of Storage Insights datasets. 
 
storageinsights.datasetConfigs.unlinkDatasetRemove linked datasets from BigQuery that contain the output of Storage Insights datasets. 
 
storageinsights.datasetConfigs.updateModify dataset configurations. 
 
storageinsights.datasetConfigs.getGet dataset configurations. 
 
storageinsights.datasetConfigs.listList dataset configurations. 
 
 
Storage batch operations permissions 
Storage batch operations permission name 
Description 
 
 
storagebatchoperations.jobs.createCreate storage batch operations jobs. 
 
storagebatchoperations.jobs.cancelCancel storage batch operations jobs. 
 
storagebatchoperations.jobs.deleteDelete storage batch operations jobs. 
 
storagebatchoperations.jobs.getRetrieve storage batch operations jobs. 
 
storagebatchoperations.jobs.listList storage batch operations jobs. 
 
storagebatchoperations.operations.getRetrieve storage batch operations. 
 
storagebatchoperations.operations.listList storage batch operations. 
 
storagebatchoperations.operations.cancelCancel storage batch operations. 
 
 
Long-running operations permissions 
Long-running operation permission name 
Description 
 
 
storage.bucketOperations.cancelCancel a long-running operation. 
 
storage.bucketOperations.getGet a long-running operation. 
 
storage.bucketOperations.listList long-running operations. 
 
 
HMAC key permissions 
Note:  HMAC key permissions apply at the project level only. 
HMAC key permission name 
Description 
 
 
storage.hmacKeys.createCreate new HMAC keys for service accounts in a project. 
 
storage.hmacKeys.deleteDelete existing HMAC keys. 
 
storage.hmacKeys.getRead HMAC key metadata. 
 
storage.hmacKeys.listList the metadata of HMAC keys in a project. 
 
storage.hmacKeys.updateUpdate HMAC key status. 
 
 
Multipart upload permissions 
Note:  In order to create or upload parts, you must have both the
storage.objects.create and storage.multipartUploads.create permissions. 
Multipart upload permission name 
Description 
 
 
storage.multipartUploads.createUpload objects in multiple parts. 
 
storage.multipartUploads.abortAbort multipart upload sessions. 
 
storage.multipartUploads.listPartsList the uploaded object parts in a multipart upload session. 
 
storage.multipartUploads.listList the multipart upload sessions in a bucket. 
 
 
What's next 
  
  
     
  
    
    
      
    
     
  
       
         
  
  
    
    Send feedback
  
   
 
       
    
    
  
  
 
  Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
  Last updated 2025-10-24 UTC.
 
 
  
  
    
    
    
      
  
  
    Need to tell us more?
  
   
 
     
  
  
    
      [[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-24 UTC."],[],[]]