roles/storage.objectAdmin
Grants full control over objects, including listing, creating, viewing, and deleting objects.
Storage Object Admin
['monitoring.timeSeries.create', 'orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.getIamPolicy', 'storage.objects.list', 'storage.objects.move', 'storage.objects.overrideUnlockedRetention', 'storage.objects.restore', 'storage.objects.setIamPolicy', 'storage.objects.setRetention', 'storage.objects.update']
Copy Permissions
GA
roles/storage.objectViewer
Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.
Storage Object Viewer
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.get', 'storage.folders.list', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.objects.get', 'storage.objects.list']
Copy Permissions
GA
roles/storage.legacyBucketWriter
Grants permission to create, replace, and delete objects; list objects in a bucket; read object metadata when listing (excluding IAM policies); and read bucket metadata, excluding IAM policies.
Storage Legacy Bucket Writer
['storage.buckets.get', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.list', 'storage.objects.restore', 'storage.objects.setRetention']
Copy Permissions
GA
roles/storagetransfer.transferAgent
Perform transfers from an agent.
Storage Transfer Agent
['logging.logEntries.create', 'monitoring.timeSeries.create', 'pubsub.subscriptions.consume', 'pubsub.subscriptions.create', 'pubsub.subscriptions.delete', 'pubsub.subscriptions.get', 'pubsub.topics.attachSubscription', 'pubsub.topics.create', 'pubsub.topics.get', 'pubsub.topics.list', 'pubsub.topics.publish', 'storagetransfer.agentpools.report', 'storagetransfer.operations.assign', 'storagetransfer.operations.get', 'storagetransfer.operations.report']
Copy Permissions
GA
roles/storagetransfer.viewer
Read access to storage transfer jobs and operations.
Storage Transfer Viewer
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storagetransfer.agentpools.get', 'storagetransfer.agentpools.list', 'storagetransfer.jobs.get', 'storagetransfer.jobs.list', 'storagetransfer.operations.get', 'storagetransfer.operations.list', 'storagetransfer.projects.getServiceAccount']
Copy Permissions
GA
roles/storage.folderAdmin
Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.
Storage Folder Admin
['orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.getIamPolicy', 'storage.managedFolders.list', 'storage.managedFolders.setIamPolicy', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.getIamPolicy', 'storage.objects.list', 'storage.objects.move', 'storage.objects.overrideUnlockedRetention', 'storage.objects.restore', 'storage.objects.setIamPolicy', 'storage.objects.setRetention', 'storage.objects.update']
Copy Permissions
GA
roles/storage.insightsCollectorService
Grants read access to object metadata in inventory reports.
Storage Insights Collector Service
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.buckets.get', 'storage.buckets.getObjectInsights']
Copy Permissions
GA
roles/storage.expressModeServiceOutput
Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.
Storage Express Mode Service Output
['storage.objects.delete', 'storage.objects.get', 'storage.objects.list']
Copy Permissions
BETA
roles/storageinsights.analyst
Data access to Storage Insights.
Storage Insights Analyst
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storageinsights.datasetConfigs.get', 'storageinsights.datasetConfigs.linkDataset', 'storageinsights.datasetConfigs.list', 'storageinsights.datasetConfigs.unlinkDataset', 'storageinsights.locations.get', 'storageinsights.locations.list', 'storageinsights.operations.get', 'storageinsights.operations.list', 'storageinsights.reportConfigs.get', 'storageinsights.reportConfigs.list', 'storageinsights.reportDetails.get', 'storageinsights.reportDetails.list']
Copy Permissions
GA
roles/storage.legacyBucketOwner
Grants permission to create, replace, and delete objects; list objects in a bucket; create, delete, and list tag bindings; read object metadata when listing (excluding IAM policies); and read and edit bucket metadata, including IAM policies.
Storage Legacy Bucket Owner
['storage.anywhereCaches.create', 'storage.anywhereCaches.disable', 'storage.anywhereCaches.get', 'storage.anywhereCaches.list', 'storage.anywhereCaches.pause', 'storage.anywhereCaches.resume', 'storage.anywhereCaches.update', 'storage.bucketOperations.cancel', 'storage.bucketOperations.get', 'storage.bucketOperations.list', 'storage.buckets.createTagBinding', 'storage.buckets.deleteTagBinding', 'storage.buckets.enableObjectRetention', 'storage.buckets.get', 'storage.buckets.getIamPolicy', 'storage.buckets.getIpFilter', 'storage.buckets.listEffectiveTags', 'storage.buckets.listTagBindings', 'storage.buckets.relocate', 'storage.buckets.restore', 'storage.buckets.setIamPolicy', 'storage.buckets.setIpFilter', 'storage.buckets.update', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.getIamPolicy', 'storage.managedFolders.list', 'storage.managedFolders.setIamPolicy', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.list', 'storage.objects.restore', 'storage.objects.setRetention']
Copy Permissions
GA
roles/storage.bucketViewer
Grants permission to view buckets and their metadata, excluding IAM policies.
Storage Bucket Viewer
['storage.buckets.get', 'storage.buckets.list']
Copy Permissions
BETA
roles/storagetransfer.user
Create and update storage transfer jobs and operations.
Storage Transfer User
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storagetransfer.agentpools.create', 'storagetransfer.agentpools.get', 'storagetransfer.agentpools.list', 'storagetransfer.agentpools.report', 'storagetransfer.agentpools.update', 'storagetransfer.jobs.create', 'storagetransfer.jobs.get', 'storagetransfer.jobs.list', 'storagetransfer.jobs.run', 'storagetransfer.jobs.update', 'storagetransfer.operations.assign', 'storagetransfer.operations.cancel', 'storagetransfer.operations.get', 'storagetransfer.operations.list', 'storagetransfer.operations.pause', 'storagetransfer.operations.report', 'storagetransfer.operations.resume', 'storagetransfer.projects.getServiceAccount']
Copy Permissions
GA
roles/storage.expressModeUserAccess
Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.
Storage Express Mode User Access
['orgpolicy.policy.get', 'storage.buckets.get', 'storage.buckets.list', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.list', 'storage.objects.restore', 'storage.objects.update']
Copy Permissions
BETA
roles/storageinsights.viewer
Readonly access to Storage Insights resources.
Storage Insights Viewer
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storageinsights.datasetConfigs.get', 'storageinsights.datasetConfigs.list', 'storageinsights.locations.get', 'storageinsights.locations.list', 'storageinsights.operations.get', 'storageinsights.operations.list', 'storageinsights.reportConfigs.get', 'storageinsights.reportConfigs.list', 'storageinsights.reportDetails.get', 'storageinsights.reportDetails.list']
Copy Permissions
GA
roles/storage.legacyObjectReader
Grants permission to view objects and their metadata, excluding ACLs.
Storage Legacy Object Reader
['storage.objects.get']
Copy Permissions
GA
roles/storage.admin
Grants full control of buckets and objects.
Storage Admin
['cloudkms.keyHandles.create', 'cloudkms.keyHandles.get', 'cloudkms.keyHandles.list', 'cloudkms.operations.get', 'cloudkms.projects.showEffectiveAutokeyConfig', 'firebase.projects.get', 'monitoring.timeSeries.create', 'orgpolicy.policy.get', 'recommender.iamPolicyInsights.get', 'recommender.iamPolicyInsights.list', 'recommender.iamPolicyInsights.update', 'recommender.iamPolicyRecommendations.get', 'recommender.iamPolicyRecommendations.list', 'recommender.iamPolicyRecommendations.update', 'recommender.storageBucketSoftDeleteInsights.get', 'recommender.storageBucketSoftDeleteInsights.list', 'recommender.storageBucketSoftDeleteInsights.update', 'recommender.storageBucketSoftDeleteRecommendations.get', 'recommender.storageBucketSoftDeleteRecommendations.list', 'recommender.storageBucketSoftDeleteRecommendations.update', 'resourcemanager.hierarchyNodes.listEffectiveTags', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.anywhereCaches.create', 'storage.anywhereCaches.disable', 'storage.anywhereCaches.get', 'storage.anywhereCaches.list', 'storage.anywhereCaches.pause', 'storage.anywhereCaches.resume', 'storage.anywhereCaches.update', 'storage.bucketOperations.cancel', 'storage.bucketOperations.get', 'storage.bucketOperations.list', 'storage.buckets.create', 'storage.buckets.createTagBinding', 'storage.buckets.delete', 'storage.buckets.deleteTagBinding', 'storage.buckets.enableObjectRetention', 'storage.buckets.get', 'storage.buckets.getIamPolicy', 'storage.buckets.getIpFilter', 'storage.buckets.getObjectInsights', 'storage.buckets.list', 'storage.buckets.listEffectiveTags', 'storage.buckets.listTagBindings', 'storage.buckets.relocate', 'storage.buckets.restore', 'storage.buckets.setIamPolicy', 'storage.buckets.setIpFilter', 'storage.buckets.update', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.intelligenceConfigs.get', 'storage.intelligenceConfigs.update', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.getIamPolicy', 'storage.managedFolders.list', 'storage.managedFolders.setIamPolicy', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.getIamPolicy', 'storage.objects.list', 'storage.objects.move', 'storage.objects.overrideUnlockedRetention', 'storage.objects.restore', 'storage.objects.setIamPolicy', 'storage.objects.setRetention', 'storage.objects.update']
Copy Permissions
GA
roles/storage.objectUser
Access to create, read, update and delete objects and multipart uploads in GCS.
Storage Object User
['monitoring.timeSeries.create', 'orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.list', 'storage.objects.move', 'storage.objects.restore', 'storage.objects.update']
Copy Permissions
GA
roles/storagetransfer.serviceAgent
Grants Storage Transfer Service Agent permissions required to run transfers
Storage Transfer Service Agent
['pubsub.subscriptions.consume', 'pubsub.subscriptions.create', 'pubsub.subscriptions.delete', 'pubsub.subscriptions.get', 'pubsub.subscriptions.update', 'pubsub.topics.attachSubscription', 'pubsub.topics.create', 'pubsub.topics.delete', 'pubsub.topics.get', 'pubsub.topics.publish', 'pubsub.topics.update']
Copy Permissions
GA
roles/storage.legacyObjectOwner
Grants permission to view and edit objects and their metadata, including ACLs.
Storage Legacy Object Owner
['storage.objects.get', 'storage.objects.getIamPolicy', 'storage.objects.overrideUnlockedRetention', 'storage.objects.setIamPolicy', 'storage.objects.setRetention', 'storage.objects.update']
Copy Permissions
GA
roles/storage.hmacKeyAdmin
Grants full control over HMAC keys in a project.
Storage HMAC Key Admin
['firebase.projects.get', 'orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.hmacKeys.create', 'storage.hmacKeys.delete', 'storage.hmacKeys.get', 'storage.hmacKeys.list', 'storage.hmacKeys.update']
Copy Permissions
GA
roles/storage.expressModeServiceInput
Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.
Storage Express Mode Service Input
['storage.objects.create', 'storage.objects.delete', 'storage.objects.list', 'storage.objects.update']
Copy Permissions
BETA
roles/storage.legacyBucketReader
Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata when listing objects (excluding IAM policies).
Storage Legacy Bucket Reader
['storage.buckets.get', 'storage.folders.get', 'storage.folders.list', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.multipartUploads.list', 'storage.objects.list']
Copy Permissions
GA
roles/storageinsights.admin
Full access to Storage Insights resources.
Storage Insights Admin
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storageinsights.datasetConfigs.create', 'storageinsights.datasetConfigs.delete', 'storageinsights.datasetConfigs.get', 'storageinsights.datasetConfigs.linkDataset', 'storageinsights.datasetConfigs.list', 'storageinsights.datasetConfigs.unlinkDataset', 'storageinsights.datasetConfigs.update', 'storageinsights.locations.get', 'storageinsights.locations.list', 'storageinsights.operations.cancel', 'storageinsights.operations.delete', 'storageinsights.operations.get', 'storageinsights.operations.list', 'storageinsights.reportConfigs.create', 'storageinsights.reportConfigs.delete', 'storageinsights.reportConfigs.get', 'storageinsights.reportConfigs.list', 'storageinsights.reportConfigs.update', 'storageinsights.reportDetails.get', 'storageinsights.reportDetails.list']
Copy Permissions
GA
roles/storagetransfer.admin
Create, update and manage transfer jobs and operations.
Storage Transfer Admin
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storagetransfer.agentpools.create', 'storagetransfer.agentpools.delete', 'storagetransfer.agentpools.get', 'storagetransfer.agentpools.list', 'storagetransfer.agentpools.report', 'storagetransfer.agentpools.update', 'storagetransfer.jobs.create', 'storagetransfer.jobs.delete', 'storagetransfer.jobs.get', 'storagetransfer.jobs.list', 'storagetransfer.jobs.run', 'storagetransfer.jobs.update', 'storagetransfer.operations.assign', 'storagetransfer.operations.cancel', 'storagetransfer.operations.get', 'storagetransfer.operations.list', 'storagetransfer.operations.pause', 'storagetransfer.operations.report', 'storagetransfer.operations.resume', 'storagetransfer.projects.getServiceAccount']
Copy Permissions
GA
roles/storage.objectCreator
Allows users to create objects. Does not give permission to view, delete, or replace objects.
Storage Object Creator
['orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.create', 'storage.managedFolders.create', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.listParts', 'storage.objects.create']
Copy Permissions
GA
roles/storageinsights.serviceAgent
Permissions for Insights to write reports into customer project
StorageInsights Service Agent
['bigquery.datasets.create', 'serviceusage.services.use', 'storageinsights.reportDetails.list']
Copy Permissions
GA