Cloud Storage roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Cloud Storage. To search through all roles and permissions, see the role and permission index.

Cloud Storage roles

Role Permissions

Role	Permissions
Storage Admin (`roles/storage.admin`) Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. Lowest-level resources where you can grant this role: Bucket	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `firebase.projects.get` `orgpolicy.policy.get` `recommender.iamPolicyInsights.` `recommender.iamPolicyInsights.get` `recommender.iamPolicyInsights.list` `recommender.iamPolicyInsights.update` `recommender.iamPolicyRecommendations.` `recommender.iamPolicyRecommendations.get` `recommender.iamPolicyRecommendations.list` `recommender.iamPolicyRecommendations.update` `recommender.storageBucketSoftDeleteInsights.` `recommender.storageBucketSoftDeleteInsights.get` `recommender.storageBucketSoftDeleteInsights.list` `recommender.storageBucketSoftDeleteInsights.update` `recommender.storageBucketSoftDeleteRecommendations.` `recommender.storageBucketSoftDeleteRecommendations.get` `recommender.storageBucketSoftDeleteRecommendations.list` `recommender.storageBucketSoftDeleteRecommendations.update` `resourcemanager.hierarchyNodes.listEffectiveTags` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.` `storage.buckets.create` `storage.buckets.createTagBinding` `storage.buckets.delete` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.getObjectInsights` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.intelligenceConfigs.` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.*` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Bucket Viewer ^Beta (`roles/storage.bucketViewer`) Grants permission to view buckets and their metadata, excluding IAM policies.	`storage.buckets.get` `storage.buckets.list`
Storage Express Mode Service Input ^Beta (`roles/storage.expressModeServiceInput`) Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.	`storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.update`
Storage Express Mode Service Output ^Beta (`roles/storage.expressModeServiceOutput`) Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.	`storage.objects.delete` `storage.objects.get` `storage.objects.list`
Storage Express Mode User Access ^Beta (`roles/storage.expressModeUserAccess`) Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.	`orgpolicy.policy.get` `storage.buckets.get` `storage.buckets.list` `storage.multipartUploads.*` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.restore` `storage.objects.update`
Storage Folder Admin (`roles/storage.folderAdmin`) Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Full control of Cloud Storage HMAC keys.	`firebase.projects.get` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.hmacKeys.*` `storage.hmacKeys.create` `storage.hmacKeys.delete` `storage.hmacKeys.get` `storage.hmacKeys.list` `storage.hmacKeys.update`
Storage Insights Collector Service (`roles/storage.insightsCollectorService`) Read-only access to Cloud Storage Inventory metadata for Storage Insights.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.get` `storage.buckets.getObjectInsights`
Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.createTagBinding` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.*` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.restore` `storage.objects.setRetention`
Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.buckets.get` `storage.folders.get` `storage.folders.list` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.list` `storage.objects.list`
Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.buckets.get` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.restore` `storage.objects.setRetention`
Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Grants permission to view and edit objects and their metadata, including ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.overrideUnlockedRetention` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Legacy Object Reader (`roles/storage.legacyObjectReader`) Grants permission to view objects and their metadata, excluding ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.objects.get`
Storage Object Admin (`roles/storage.objectAdmin`) Grants full control of objects, including listing, creating, viewing, and deleting objects. Lowest-level resources where you can grant this role: Bucket	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.*` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Object Creator (`roles/storage.objectCreator`) Allows users to create objects. Does not give permission to view, delete, or overwrite objects. Lowest-level resources where you can grant this role: Bucket	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.create` `storage.managedFolders.create` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.listParts` `storage.objects.create`
Storage Object User (`roles/storage.objectUser`) Access to create, read, update and delete objects and multipart uploads in GCS.	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.move` `storage.objects.restore` `storage.objects.update`
Storage Object Viewer (`roles/storage.objectViewer`) Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. Lowest-level resources where you can grant this role: Bucket	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.get` `storage.folders.list` `storage.managedFolders.get` `storage.managedFolders.list` `storage.objects.get` `storage.objects.list`

Storage Admin

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

Bucket

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

firebase.projects.get

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage Bucket Viewer ^Beta

(roles/storage.bucketViewer)

Grants permission to view buckets and their metadata, excluding IAM policies.

storage.buckets.get

storage.buckets.list

Storage Express Mode Service Input ^Beta

(roles/storage.expressModeServiceInput)

Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.update

Storage Express Mode Service Output ^Beta

(roles/storage.expressModeServiceOutput)

Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.

storage.objects.delete

storage.objects.get

storage.objects.list

Storage Express Mode User Access ^Beta

(roles/storage.expressModeUserAccess)

Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.

orgpolicy.policy.get

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.restore

storage.objects.update

Storage Folder Admin

(roles/storage.folderAdmin)

Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage HMAC Key Admin

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update

Storage Insights Collector Service

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

Storage Legacy Bucket Owner

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.getIpFilter

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.relocate

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.setIpFilter

storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

Storage Legacy Bucket Reader

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.list

Storage Legacy Bucket Writer

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

Storage Legacy Object Owner

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

storage.objects.getIamPolicy

storage.objects.overrideUnlockedRetention

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

Storage Legacy Object Reader

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

Storage Object Admin

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage Object Creator

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.create

storage.managedFolders.create

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

Storage Object User

(roles/storage.objectUser)

Access to create, read, update and delete objects and multipart uploads in GCS.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.move

storage.objects.restore

storage.objects.update

Storage Object Viewer

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

Cloud Storage permissions

Permission	Included in roles
`storage.anywhereCaches.create`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.anywhereCaches.disable`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.anywhereCaches.get`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.anywhereCaches.list`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.anywhereCaches.pause`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.anywhereCaches.resume`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.anywhereCaches.update`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.bucketOperations.cancel`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.bucketOperations.get`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.bucketOperations.list`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.create`	Owner (`roles/owner`) Editor (`roles/editor`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Velostrata Manager (`roles/cloudmigration.inframanager`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Admin (`roles/storage.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine Standard Environment Service Agent (`roles/appengine.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.buckets.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Tag User (`roles/resourcemanager.tagUser`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Velostrata Manager (`roles/cloudmigration.inframanager`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Storage Admin (`roles/storage.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.buckets.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Tag User (`roles/resourcemanager.tagUser`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.enableObjectRetention`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.get`	Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Velostrata Manager (`roles/cloudmigration.inframanager`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Worker (`roles/dataflow.worker`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Firebase Viewer (`roles/firebase.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Storage Admin (`roles/storage.admin`) Storage Bucket Viewer (`roles/storage.bucketViewer`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Insights Collector Service (`roles/storage.insightsCollectorService`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine Standard Environment Service Agent (`roles/appengine.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Chronicle SOAR Service Agent (`roles/chronicle.soarServiceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataplex Discovery Service Agent (`roles/dataplex.discoveryServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Google Cloud Security Response Service Agent (`roles/securitycenter.securityResponseServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.buckets.getIamPolicy`	DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Chronicle SOAR Service Agent (`roles/chronicle.soarServiceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`)
`storage.buckets.getIpFilter`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.getObjectInsights`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Insights Collector Service (`roles/storage.insightsCollectorService`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Velostrata Manager (`roles/cloudmigration.inframanager`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Firebase Viewer (`roles/firebase.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Storage Admin (`roles/storage.admin`) Storage Bucket Viewer (`roles/storage.bucketViewer`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Workload Manager Admin (`roles/workloadmanager.admin`) Workload Manager Deployment Admin (`roles/workloadmanager.deploymentAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Chronicle SOAR Service Agent (`roles/chronicle.soarServiceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.buckets.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.relocate`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.restore`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.setIamPolicy`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Security Admin (`roles/iam.securityAdmin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`storage.buckets.setIpFilter`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.buckets.update`	Velostrata Manager (`roles/cloudmigration.inframanager`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Chronicle SOAR Service Agent (`roles/chronicle.soarServiceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Google Cloud Security Response Service Agent (`roles/securitycenter.securityResponseServiceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.folders.create`	Owner (`roles/owner`) Editor (`roles/editor`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.folders.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.folders.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) App Management Viewer (`roles/apphub.appManagementViewer`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Application Design Center Viewer (`roles/designcenter.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.folders.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) App Management Viewer (`roles/apphub.appManagementViewer`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Application Design Center Viewer (`roles/designcenter.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.folders.rename`	Owner (`roles/owner`) Editor (`roles/editor`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.hmacKeys.create`	Owner (`roles/owner`) Editor (`roles/editor`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`storage.hmacKeys.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)
`storage.hmacKeys.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)
`storage.hmacKeys.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)
`storage.hmacKeys.update`	Owner (`roles/owner`) Editor (`roles/editor`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)
`storage.intelligenceConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.intelligenceConfigs.update`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Storage Admin (`roles/storage.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.managedFolders.create`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.managedFolders.delete`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.managedFolders.get`	App Management Viewer (`roles/apphub.appManagementViewer`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Application Design Center Viewer (`roles/designcenter.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.managedFolders.getIamPolicy`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.managedFolders.list`	App Management Viewer (`roles/apphub.appManagementViewer`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Application Design Center Viewer (`roles/designcenter.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.managedFolders.setIamPolicy`	Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Security Admin (`roles/iam.securityAdmin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`storage.multipartUploads.abort`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Admin (`roles/storage.admin`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.multipartUploads.create`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Admin (`roles/storage.admin`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.multipartUploads.list`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.multipartUploads.listParts`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Admin (`roles/storage.admin`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.objects.create`	Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Task Worker (`roles/bigquerymigration.worker`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Worker (`roles/dataflow.worker`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Firebase Rules System (`roles/firebaserules.system`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Admin (`roles/storage.admin`) Storage Express Mode Service Input (`roles/storage.expressModeServiceInput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.objects.delete`	Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Firebase Rules System (`roles/firebaserules.system`) Storage Admin (`roles/storage.admin`) Storage Express Mode Service Input (`roles/storage.expressModeServiceInput`) Storage Express Mode Service Output (`roles/storage.expressModeServiceOutput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.objects.get`	App Management Viewer (`roles/apphub.appManagementViewer`) Container Registry -> Artifact Registry Migration Admin (`roles/artifactregistry.containerRegistryMigrationAdmin`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Task Worker (`roles/bigquerymigration.worker`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Firebase Test Lab Viewer (`roles/cloudtestservice.testViewer`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataflow Admin (`roles/dataflow.admin`) Dataflow Worker (`roles/dataflow.worker`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Application Design Center Viewer (`roles/designcenter.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Firebase Viewer (`roles/firebase.viewer`) Firebase Rules System (`roles/firebaserules.system`) Cloud Run Builder (`roles/run.builder`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Admin (`roles/storage.admin`) Storage Express Mode Service Output (`roles/storage.expressModeServiceOutput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Legacy Object Reader (`roles/storage.legacyObjectReader`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Extension Service Agent (`roles/aiplatform.extensionServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Compliance Scanning Service Agent (`roles/compliancescanning.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) [Deprecated] Kubernetes Engine Node Service Agent (`roles/container.nodeServiceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Container Scanner Service Agent (`roles/containerscanning.ServiceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataplex Discovery Service Agent (`roles/dataplex.discoveryServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Managed Flink Service Agent (`roles/managedflink.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Migration Center Service Agent (`roles/migrationcenter.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) On-Demand Scanning Service Agent (`roles/ondemandscanning.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.objects.getIamPolicy`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Firebase Viewer (`roles/firebase.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.objects.list`	App Management Viewer (`roles/apphub.appManagementViewer`) Container Registry -> Artifact Registry Migration Admin (`roles/artifactregistry.containerRegistryMigrationAdmin`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Task Orchestrator (`roles/bigquerymigration.orchestrator`) Task Worker (`roles/bigquerymigration.worker`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Firebase Test Lab Viewer (`roles/cloudtestservice.testViewer`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataflow Admin (`roles/dataflow.admin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Application Design Center Viewer (`roles/designcenter.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Firebase Viewer (`roles/firebase.viewer`) Firebase Rules System (`roles/firebaserules.system`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Admin (`roles/storage.admin`) Storage Express Mode Service Input (`roles/storage.expressModeServiceInput`) Storage Express Mode Service Output (`roles/storage.expressModeServiceOutput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Workload Manager Admin (`roles/workloadmanager.admin`) Workload Manager Deployment Admin (`roles/workloadmanager.deploymentAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Compliance Scanning Service Agent (`roles/compliancescanning.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) [Deprecated] Kubernetes Engine Node Service Agent (`roles/container.nodeServiceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Container Scanner Service Agent (`roles/containerscanning.ServiceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataplex Discovery Service Agent (`roles/dataplex.discoveryServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) On-Demand Scanning Service Agent (`roles/ondemandscanning.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`storage.objects.move`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.objects.overrideUnlockedRetention`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.objects.restore`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Storage Admin (`roles/storage.admin`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.objects.setIamPolicy`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Security Admin (`roles/iam.securityAdmin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.objects.setRetention`	Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`)
`storage.objects.update`	Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center Admin (`roles/designcenter.admin`) Application Design Center User (`roles/designcenter.user`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Firebase Rules System (`roles/firebaserules.system`) Storage Admin (`roles/storage.admin`) Storage Express Mode Service Input (`roles/storage.expressModeServiceInput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)

Cloud Storage roles and permissions Stay organized with collections Save and categorize content based on your preferences.