Agentless transfers include transfers within Cloud Storage, or from Amazon S3, Azure Blob Storage or Data Lake Storage Gen2, or URL lists of public objects. They do not require transfer agents or agent pools.
When transferring data between cloud providers in an agentless transfer, you must grant permissions to two entities:
- The user or user-managed service account that's creating or managing the transfer.
- A Google-managed service account that's automatically created the first time you interact with Storage Transfer Service.
In addition, you must configure access to the source files on AWS S3, Microsoft Azure, or in Cloud Storage.
To learn how to grant IAM roles, see Granting, changing, and revoking access to resources.
Simplest method of granting permissions
The gcloud CLI can be used to grant the required permissions to the
user / user-managed service account and to the Google-managed service account.
These permissions allow the user to create, edit, and delete transfer jobs,
and set or modify bandwidth limits.
If these permissions are too broad for your organization's policies, refer to the later sections in this document for the minimum permissions required by Storage Transfer Service.
To inspect existing permissions and print out any missing roles, run the following command:
gcloud transfer authorize
To automatically apply those roles, use the --add-missing flag:
gcloud transfer authorize --add-missing
To grant permissions to a user-managed service account, pass the service account key file:
gcloud transfer authorize --add-missing --creds-file=path/to/key.json
For instructions on creating a service account, see Creating and managing service accounts.
The command grants the following permissions.
To the user / user-managed service account:
roles/ownerroles/storagetransfer.adminroles/storagetransfer.transferAgentroles/storage.objectAdminroles/pubsub.editor
To the Google-managed service account:
roles/storage.adminroles/storagetransfer.serviceAgent
For instructions on installing the gcloud CLI, see the
gcloud quickstart.
User or user-managed service account permissions
This section covers the roles required for the accounts managing and executing transfers. Your organization's requirements will dictate the exact roles for each persona; this section assumes that you will create an administrator and a user.
Administrator accounts
Storage Transfer Service administrator accounts set bandwidth usage limits and delete transfer jobs.
To set up an administrator account, assign the following IAM permissions and roles:
| Role / Permission | What it does | Notes |
|---|---|---|
resourcemanager.projects.getIamPolicy |
This permission is used to confirm that the Google-managed service account has the required permissions for a transfer. | To grant this permission, grant the
Role Viewer
(roles/iam.roleViewer) predefined role, or
create a custom role with
this single permission and grant the custom role. |
Storage Transfer Admin
(roles/storagetransfer.admin)
|
Enables administrative actions in the transfer project, such as project set up. | For a detailed listing of permissions granted, see Storage Transfer Service Predefined roles. |
User accounts
Storage Transfer Service user accounts are used to create and execute transfers. These accounts typically don't have access to delete transfer jobs.
A user account can be a Google Cloud console user, or a service account. If you're using a service account, the method you use to pass the credentials to Storage Transfer Service varies depending on the interface you use.
To set up a user account, assign the following permissions and roles to the account:
| Role / Permission | What it does | Notes |
|---|---|---|
resourcemanager.projects.getIamPolicy |
Used to confirm that the Google-managed service account has the required Pub/Sub permissions for a transfer. | To grant this permission, grant the
Role Viewer
(roles/iam.roleViewer) predefined role, or
create a custom role with
this single permission and grant the custom role. |
Storage Transfer User
(roles/storagetransfer.user)
|
Enables the user to create, get, update, and list transfers. | For a detailed listing of permissions granted, see Storage Transfer Service Predefined roles. |
Google-managed service account permissions
Storage Transfer Service uses a
Google-managed service
account to move your data. This service account is automatically created
the first time you create a transfer job, call
googleServiceAccounts.get, or visit the job creation page in the
Google Cloud console.
The service account's format is typically
project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com.
To retrieve your service account identifier, use the
googleServiceAccounts.get API call.
Automatically assigning roles
There are two ways to automatically assign the correct roles to the Google-managed service account:
Create your transfer using the Google Cloud console. The console automatically applies the required permissions.
Use
gcloud transfer authorize --add-missing. See Simplest method of granting permissions.
Manually assigning roles
To allow the Google-managed service account access to resources needed to complete transfers, assign the following roles, or equivalent permissions, to the service account.
| Role / Permission | What it does | Notes |
|---|---|---|
Storage Legacy Bucket Writer
(roles/storage.legacyBucketWriter)
|
Enables Storage Transfer Service to read bucket metadata, list objects in the bucket, and write objects to the destination bucket. | Grant on the Cloud Storage destination bucket. |
Storage Object Viewer
(roles/storage.objectViewer)
|
Enables Storage Transfer Service to determine if a file has already been transferred to or from Cloud Storage. | Grant on the Cloud Storage source bucket if you're transferring from Cloud Storage. If appropriate for your situation, you can grant the role on a project level to the project that Storage Transfer Service is running from. |
Storage Legacy Bucket Reader
(roles/storage.legacyBucketReader)
|
Enables Storage Transfer Service to read Cloud Storage bucket metadata. |
Grant on the Cloud Storage source bucket if you're transferring from Cloud Storage. Cloud Storage |
See Grant the required permissions for instructions.
Cross-project Cloud Storage transfers
To transfer objects between Cloud Storage buckets in different projects, you must grant permission to a single Google-managed service account on both the source bucket and the destination bucket. The Google-managed service account belongs to the project from which you are creating the transfer.
The user or user-managed service account only needs permissions on the project that is creating the transfer.
To obtain the Google-managed service account's email, refer to Find the service agent's email.
On the source bucket, grant the following roles at the bucket level to the Google-managed service account:
Storage Legacy Bucket ReaderStorage Object Viewer
On the destination bucket, grant the following role at the bucket level to the same Google-managed service account:
Storage Legacy Bucket Writer
For instructions on granting roles at the bucket level, refer to the following pages:
Organizational restrictions
If your organization has applied
organization policy constraints
such as
domain restrictions
(constraints/iam.allowedPolicyMemberDomains) or
disabling attachment of service accounts to resources in other projects
(constraints/iam.disableCrossProjectServiceAccountUsage), these constraints
must be updated before cross-project transfers can succeed.
You may also need to update any VPC service control settings to support cross-project transfers. See Configure VPC Service Controls for cloud object storage transfers.
AWS and Microsoft permissions
You must also configure access to your source files if they're in AWS S3 or Microsoft Azure Storage. The following documents detail the required steps: