roles/storage.objectAdmin
Grants full control over objects, including listing, creating, viewing, and deleting objects.
Storage Object Admin
['orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.getIamPolicy', 'storage.objects.list', 'storage.objects.overrideUnlockedRetention', 'storage.objects.restore', 'storage.objects.setIamPolicy', 'storage.objects.setRetention', 'storage.objects.update']
Copy Permissions
GA
roles/storage.objectViewer
Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.
Storage Object Viewer
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.get', 'storage.folders.list', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.objects.get', 'storage.objects.list']
Copy Permissions
GA
roles/storage.legacyBucketWriter
Grants permission to create, replace, and delete objects; list objects in a bucket; read object metadata when listing (excluding IAM policies); and read bucket metadata, excluding IAM policies.
Storage Legacy Bucket Writer
['storage.buckets.get', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.list', 'storage.objects.restore', 'storage.objects.setRetention']
Copy Permissions
GA
roles/storagetransfer.transferAgent
Perform transfers from an agent.
Storage Transfer Agent
['monitoring.timeSeries.create', 'pubsub.subscriptions.consume', 'pubsub.subscriptions.create', 'pubsub.subscriptions.delete', 'pubsub.subscriptions.get', 'pubsub.topics.attachSubscription', 'pubsub.topics.create', 'pubsub.topics.get', 'pubsub.topics.list', 'pubsub.topics.publish', 'storagetransfer.agentpools.report', 'storagetransfer.operations.assign', 'storagetransfer.operations.get', 'storagetransfer.operations.report']
Copy Permissions
GA
roles/storagetransfer.viewer
Read access to storage transfer jobs and operations.
Storage Transfer Viewer
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storagetransfer.agentpools.get', 'storagetransfer.agentpools.list', 'storagetransfer.jobs.get', 'storagetransfer.jobs.list', 'storagetransfer.operations.get', 'storagetransfer.operations.list', 'storagetransfer.projects.getServiceAccount']
Copy Permissions
GA
roles/storage.folderAdmin
Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.
Storage Folder Admin
['orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.getIamPolicy', 'storage.managedFolders.list', 'storage.managedFolders.setIamPolicy', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.getIamPolicy', 'storage.objects.list', 'storage.objects.overrideUnlockedRetention', 'storage.objects.restore', 'storage.objects.setIamPolicy', 'storage.objects.setRetention', 'storage.objects.update']
Copy Permissions
GA
roles/storage.insightsCollectorService
Grants read access to object metadata in inventory reports.
Storage Insights Collector Service
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.buckets.get', 'storage.buckets.getObjectInsights']
Copy Permissions
GA
roles/storageinsights.analyst
Data access to Storage Insights.
Storage Insights Analyst
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storageinsights.datasetConfigs.get', 'storageinsights.datasetConfigs.linkDataset', 'storageinsights.datasetConfigs.list', 'storageinsights.datasetConfigs.unlinkDataset', 'storageinsights.locations.get', 'storageinsights.locations.list', 'storageinsights.operations.get', 'storageinsights.operations.list', 'storageinsights.reportConfigs.get', 'storageinsights.reportConfigs.list', 'storageinsights.reportDetails.get', 'storageinsights.reportDetails.list']
Copy Permissions
GA
roles/storage.legacyBucketOwner
Grants permission to create, replace, and delete objects; list objects in a bucket; create, delete, and list tag bindings; read object metadata when listing (excluding IAM policies); and read and edit bucket metadata, including IAM policies.
Storage Legacy Bucket Owner
['storage.bucketOperations.cancel', 'storage.bucketOperations.get', 'storage.bucketOperations.list', 'storage.buckets.createTagBinding', 'storage.buckets.deleteTagBinding', 'storage.buckets.enableObjectRetention', 'storage.buckets.get', 'storage.buckets.getIamPolicy', 'storage.buckets.listEffectiveTags', 'storage.buckets.listTagBindings', 'storage.buckets.restore', 'storage.buckets.setIamPolicy', 'storage.buckets.update', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.getIamPolicy', 'storage.managedFolders.list', 'storage.managedFolders.setIamPolicy', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.list', 'storage.objects.restore', 'storage.objects.setRetention']
Copy Permissions
GA
roles/storagetransfer.user
Create and update storage transfer jobs and operations.
Storage Transfer User
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storagetransfer.agentpools.create', 'storagetransfer.agentpools.get', 'storagetransfer.agentpools.list', 'storagetransfer.agentpools.report', 'storagetransfer.agentpools.update', 'storagetransfer.jobs.create', 'storagetransfer.jobs.get', 'storagetransfer.jobs.list', 'storagetransfer.jobs.run', 'storagetransfer.jobs.update', 'storagetransfer.operations.assign', 'storagetransfer.operations.cancel', 'storagetransfer.operations.get', 'storagetransfer.operations.list', 'storagetransfer.operations.pause', 'storagetransfer.operations.report', 'storagetransfer.operations.resume', 'storagetransfer.projects.getServiceAccount']
Copy Permissions
GA
roles/storageinsights.viewer
Readonly access to Storage Insights resources.
Storage Insights Viewer
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storageinsights.datasetConfigs.get', 'storageinsights.datasetConfigs.list', 'storageinsights.locations.get', 'storageinsights.locations.list', 'storageinsights.operations.get', 'storageinsights.operations.list', 'storageinsights.reportConfigs.get', 'storageinsights.reportConfigs.list', 'storageinsights.reportDetails.get', 'storageinsights.reportDetails.list']
Copy Permissions
GA
roles/storage.legacyObjectReader
Grants permission to view objects and their metadata, excluding ACLs.
Storage Legacy Object Reader
['storage.objects.get']
Copy Permissions
GA
roles/storage.admin
Grants full control of buckets and objects.
Storage Admin
['firebase.projects.get', 'orgpolicy.policy.get', 'recommender.iamPolicyInsights.get', 'recommender.iamPolicyInsights.list', 'recommender.iamPolicyInsights.update', 'recommender.iamPolicyRecommendations.get', 'recommender.iamPolicyRecommendations.list', 'recommender.iamPolicyRecommendations.update', 'recommender.storageBucketSoftDeleteInsights.get', 'recommender.storageBucketSoftDeleteInsights.list', 'recommender.storageBucketSoftDeleteInsights.update', 'recommender.storageBucketSoftDeleteRecommendations.get', 'recommender.storageBucketSoftDeleteRecommendations.list', 'recommender.storageBucketSoftDeleteRecommendations.update', 'resourcemanager.hierarchyNodes.listEffectiveTags', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.anywhereCaches.create', 'storage.anywhereCaches.disable', 'storage.anywhereCaches.get', 'storage.anywhereCaches.list', 'storage.anywhereCaches.pause', 'storage.anywhereCaches.resume', 'storage.anywhereCaches.update', 'storage.bucketOperations.cancel', 'storage.bucketOperations.get', 'storage.bucketOperations.list', 'storage.buckets.create', 'storage.buckets.createTagBinding', 'storage.buckets.delete', 'storage.buckets.deleteTagBinding', 'storage.buckets.enableObjectRetention', 'storage.buckets.get', 'storage.buckets.getIamPolicy', 'storage.buckets.getObjectInsights', 'storage.buckets.list', 'storage.buckets.listEffectiveTags', 'storage.buckets.listTagBindings', 'storage.buckets.restore', 'storage.buckets.setIamPolicy', 'storage.buckets.update', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.getIamPolicy', 'storage.managedFolders.list', 'storage.managedFolders.setIamPolicy', 'storage.managementHubs.get', 'storage.managementHubs.update', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.getIamPolicy', 'storage.objects.list', 'storage.objects.overrideUnlockedRetention', 'storage.objects.restore', 'storage.objects.setIamPolicy', 'storage.objects.setRetention', 'storage.objects.update']
Copy Permissions
GA
roles/storage.objectUser
Access to create, read, update and delete objects and multipart uploads in GCS.
Storage Object User
['orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.create', 'storage.folders.delete', 'storage.folders.get', 'storage.folders.list', 'storage.folders.rename', 'storage.managedFolders.create', 'storage.managedFolders.delete', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.list', 'storage.multipartUploads.listParts', 'storage.objects.create', 'storage.objects.delete', 'storage.objects.get', 'storage.objects.list', 'storage.objects.restore', 'storage.objects.update']
Copy Permissions
GA
roles/storagetransfer.serviceAgent
Grants Storage Transfer Service Agent permissions required to run transfers
Storage Transfer Service Agent
['pubsub.subscriptions.consume', 'pubsub.subscriptions.create', 'pubsub.subscriptions.delete', 'pubsub.subscriptions.get', 'pubsub.subscriptions.update', 'pubsub.topics.attachSubscription', 'pubsub.topics.create', 'pubsub.topics.delete', 'pubsub.topics.get', 'pubsub.topics.publish', 'pubsub.topics.update']
Copy Permissions
GA
roles/storage.legacyObjectOwner
Grants permission to view and edit objects and their metadata, including ACLs.
Storage Legacy Object Owner
['storage.objects.get', 'storage.objects.getIamPolicy', 'storage.objects.overrideUnlockedRetention', 'storage.objects.setIamPolicy', 'storage.objects.setRetention', 'storage.objects.update']
Copy Permissions
GA
roles/storage.hmacKeyAdmin
Grants full control over HMAC keys in a project.
Storage HMAC Key Admin
['firebase.projects.get', 'orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.hmacKeys.create', 'storage.hmacKeys.delete', 'storage.hmacKeys.get', 'storage.hmacKeys.list', 'storage.hmacKeys.update']
Copy Permissions
GA
roles/storage.legacyBucketReader
Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata when listing objects (excluding IAM policies).
Storage Legacy Bucket Reader
['storage.buckets.get', 'storage.folders.get', 'storage.folders.list', 'storage.managedFolders.get', 'storage.managedFolders.list', 'storage.multipartUploads.list', 'storage.objects.list']
Copy Permissions
GA
roles/storageinsights.admin
Full access to Storage Insights resources.
Storage Insights Admin
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storageinsights.datasetConfigs.create', 'storageinsights.datasetConfigs.delete', 'storageinsights.datasetConfigs.get', 'storageinsights.datasetConfigs.linkDataset', 'storageinsights.datasetConfigs.list', 'storageinsights.datasetConfigs.unlinkDataset', 'storageinsights.datasetConfigs.update', 'storageinsights.locations.get', 'storageinsights.locations.list', 'storageinsights.operations.cancel', 'storageinsights.operations.delete', 'storageinsights.operations.get', 'storageinsights.operations.list', 'storageinsights.reportConfigs.create', 'storageinsights.reportConfigs.delete', 'storageinsights.reportConfigs.get', 'storageinsights.reportConfigs.list', 'storageinsights.reportConfigs.update', 'storageinsights.reportDetails.get', 'storageinsights.reportDetails.list']
Copy Permissions
GA
roles/storagetransfer.admin
Create, update and manage transfer jobs and operations.
Storage Transfer Admin
['resourcemanager.projects.get', 'resourcemanager.projects.list', 'storagetransfer.agentpools.create', 'storagetransfer.agentpools.delete', 'storagetransfer.agentpools.get', 'storagetransfer.agentpools.list', 'storagetransfer.agentpools.report', 'storagetransfer.agentpools.update', 'storagetransfer.jobs.create', 'storagetransfer.jobs.delete', 'storagetransfer.jobs.get', 'storagetransfer.jobs.list', 'storagetransfer.jobs.run', 'storagetransfer.jobs.update', 'storagetransfer.operations.assign', 'storagetransfer.operations.cancel', 'storagetransfer.operations.get', 'storagetransfer.operations.list', 'storagetransfer.operations.pause', 'storagetransfer.operations.report', 'storagetransfer.operations.resume', 'storagetransfer.projects.getServiceAccount']
Copy Permissions
GA
roles/storage.objectCreator
Allows users to create objects. Does not give permission to view, delete, or replace objects.
Storage Object Creator
['orgpolicy.policy.get', 'resourcemanager.projects.get', 'resourcemanager.projects.list', 'storage.folders.create', 'storage.managedFolders.create', 'storage.multipartUploads.abort', 'storage.multipartUploads.create', 'storage.multipartUploads.listParts', 'storage.objects.create']
Copy Permissions
GA
roles/storageinsights.serviceAgent
Permissions for Insights to write reports into customer project
StorageInsights Service Agent
['bigquery.datasets.create', 'serviceusage.services.use', 'storageinsights.reportDetails.list']
Copy Permissions
GA