Cette page a été traduite par l'API Cloud Translation.

Rôles IAM pour Cloud Storage

Ce document fournit des informations sur les rôles et les autorisations Identity and Access Management (IAM) pour Cloud Storage.

Rôles prédéfinis

Le tableau suivant décrit les rôles Identity and Access Management (IAM) associés à Cloud Storage et répertorie les autorisations comprises dans chacun d'entre eux. Sauf indication contraire, ces rôles peuvent être appliqués à des projets, des buckets ou des dossiers gérés. Toutefois, vous ne pouvez octroyer des anciens rôles que pour certains buckets.

Pour apprendre à contrôler l'accès aux buckets, consultez la page Utiliser les autorisations IAM. Pour savoir comment contrôler l'accès aux dossiers gérés, consultez la page Utiliser IAM pour les dossiers gérés.

Role Permissions

Role	Permissions
Storage Admin (`roles/storage.admin`) Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. Lowest-level resources where you can grant this role: Bucket	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `firebase.projects.get` `orgpolicy.policy.get` `recommender.iamPolicyInsights.` `recommender.iamPolicyInsights.get` `recommender.iamPolicyInsights.list` `recommender.iamPolicyInsights.update` `recommender.iamPolicyRecommendations.` `recommender.iamPolicyRecommendations.get` `recommender.iamPolicyRecommendations.list` `recommender.iamPolicyRecommendations.update` `recommender.storageBucketSoftDeleteInsights.` `recommender.storageBucketSoftDeleteInsights.get` `recommender.storageBucketSoftDeleteInsights.list` `recommender.storageBucketSoftDeleteInsights.update` `recommender.storageBucketSoftDeleteRecommendations.` `recommender.storageBucketSoftDeleteRecommendations.get` `recommender.storageBucketSoftDeleteRecommendations.list` `recommender.storageBucketSoftDeleteRecommendations.update` `resourcemanager.hierarchyNodes.listEffectiveTags` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.` `storage.buckets.create` `storage.buckets.createTagBinding` `storage.buckets.delete` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.getObjectInsights` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.intelligenceConfigs.` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.*` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Bucket Viewer ^Beta (`roles/storage.bucketViewer`) Grants permission to view buckets and their metadata, excluding IAM policies.	`storage.buckets.get` `storage.buckets.list`
Storage Express Mode Service Input ^Beta (`roles/storage.expressModeServiceInput`) Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.	`storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.update`
Storage Express Mode Service Output ^Beta (`roles/storage.expressModeServiceOutput`) Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.	`storage.objects.delete` `storage.objects.get` `storage.objects.list`
Storage Express Mode User Access ^Beta (`roles/storage.expressModeUserAccess`) Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.	`orgpolicy.policy.get` `storage.buckets.get` `storage.buckets.list` `storage.multipartUploads.*` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.restore` `storage.objects.update`
Storage Folder Admin (`roles/storage.folderAdmin`) Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Full control of Cloud Storage HMAC keys.	`firebase.projects.get` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.hmacKeys.*` `storage.hmacKeys.create` `storage.hmacKeys.delete` `storage.hmacKeys.get` `storage.hmacKeys.list` `storage.hmacKeys.update`
Storage Insights Collector Service (`roles/storage.insightsCollectorService`) Read-only access to Cloud Storage Inventory metadata for Storage Insights.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.get` `storage.buckets.getObjectInsights`
Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.createTagBinding` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.*` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.restore` `storage.objects.setRetention`
Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.buckets.get` `storage.folders.get` `storage.folders.list` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.list` `storage.objects.list`
Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.buckets.get` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.restore` `storage.objects.setRetention`
Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Grants permission to view and edit objects and their metadata, including ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.overrideUnlockedRetention` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Legacy Object Reader (`roles/storage.legacyObjectReader`) Grants permission to view objects and their metadata, excluding ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.objects.get`
Storage Object Admin (`roles/storage.objectAdmin`) Grants full control of objects, including listing, creating, viewing, and deleting objects. Lowest-level resources where you can grant this role: Bucket	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.*` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Object Creator (`roles/storage.objectCreator`) Allows users to create objects. Does not give permission to view, delete, or overwrite objects. Lowest-level resources where you can grant this role: Bucket	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.create` `storage.managedFolders.create` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.listParts` `storage.objects.create`
Storage Object User (`roles/storage.objectUser`) Access to create, read, update and delete objects and multipart uploads in GCS.	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.move` `storage.objects.restore` `storage.objects.update`
Storage Object Viewer (`roles/storage.objectViewer`) Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. Lowest-level resources where you can grant this role: Bucket	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.get` `storage.folders.list` `storage.managedFolders.get` `storage.managedFolders.list` `storage.objects.get` `storage.objects.list`

Storage Admin

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

Bucket

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

firebase.projects.get

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage Bucket Viewer ^Beta

(roles/storage.bucketViewer)

Grants permission to view buckets and their metadata, excluding IAM policies.

storage.buckets.get

storage.buckets.list

Storage Express Mode Service Input ^Beta

(roles/storage.expressModeServiceInput)

Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.update

Storage Express Mode Service Output ^Beta

(roles/storage.expressModeServiceOutput)

Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.

storage.objects.delete

storage.objects.get

storage.objects.list

Storage Express Mode User Access ^Beta

(roles/storage.expressModeUserAccess)

Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.

orgpolicy.policy.get

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.restore

storage.objects.update

Storage Folder Admin

(roles/storage.folderAdmin)

Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage HMAC Key Admin

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update

Storage Insights Collector Service

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

Storage Legacy Bucket Owner

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.getIpFilter

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.relocate

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.setIpFilter

storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

Storage Legacy Bucket Reader

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.list

Storage Legacy Bucket Writer

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

Storage Legacy Object Owner

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

storage.objects.getIamPolicy

storage.objects.overrideUnlockedRetention

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

Storage Legacy Object Reader

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

Storage Object Admin

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage Object Creator

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.create

storage.managedFolders.create

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

Storage Object User

(roles/storage.objectUser)

Access to create, read, update and delete objects and multipart uploads in GCS.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.move

storage.objects.restore

storage.objects.update

Storage Object Viewer

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

Rôles Storage Insights prédéfinis

Le tableau suivant décrit les rôles IAM associés à Storage Insights et répertorie les autorisations comprises dans chacun d'entre eux.

Role Permissions

Role	Permissions
Storage Insights Admin (`roles/storageinsights.admin`) Full access to Storage Insights resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storageinsights.*` `storageinsights.datasetConfigs.create` `storageinsights.datasetConfigs.delete` `storageinsights.datasetConfigs.get` `storageinsights.datasetConfigs.linkDataset` `storageinsights.datasetConfigs.list` `storageinsights.datasetConfigs.unlinkDataset` `storageinsights.datasetConfigs.update` `storageinsights.locations.get` `storageinsights.locations.list` `storageinsights.operations.cancel` `storageinsights.operations.delete` `storageinsights.operations.get` `storageinsights.operations.list` `storageinsights.reportConfigs.create` `storageinsights.reportConfigs.delete` `storageinsights.reportConfigs.get` `storageinsights.reportConfigs.list` `storageinsights.reportConfigs.update` `storageinsights.reportDetails.get` `storageinsights.reportDetails.list`
Storage Insights Analyst (`roles/storageinsights.analyst`) Data access to Storage Insights.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storageinsights.datasetConfigs.get` `storageinsights.datasetConfigs.linkDataset` `storageinsights.datasetConfigs.list` `storageinsights.datasetConfigs.unlinkDataset` `storageinsights.locations.` `storageinsights.locations.get` `storageinsights.locations.list` `storageinsights.operations.get` `storageinsights.operations.list` `storageinsights.reportConfigs.get` `storageinsights.reportConfigs.list` `storageinsights.reportDetails.` `storageinsights.reportDetails.get` `storageinsights.reportDetails.list`
StorageInsights Service Agent (`roles/storageinsights.serviceAgent`) Permissions for Insights to write reports into customer project Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.datasets.create` `serviceusage.services.use` `storageinsights.reportDetails.list`
Storage Insights Viewer (`roles/storageinsights.viewer`) Read-only access to Storage Insights resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storageinsights.datasetConfigs.get` `storageinsights.datasetConfigs.list` `storageinsights.locations.` `storageinsights.locations.get` `storageinsights.locations.list` `storageinsights.operations.get` `storageinsights.operations.list` `storageinsights.reportConfigs.get` `storageinsights.reportConfigs.list` `storageinsights.reportDetails.` `storageinsights.reportDetails.get` `storageinsights.reportDetails.list`

Storage Insights Admin

(roles/storageinsights.admin)

Full access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.*

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update
storageinsights.locations.get
storageinsights.locations.list
storageinsights.operations.cancel
storageinsights.operations.delete
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.create
storageinsights.reportConfigs.delete
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportConfigs.update
storageinsights.reportDetails.get
storageinsights.reportDetails.list

Storage Insights Analyst

(roles/storageinsights.analyst)

Data access to Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.linkDataset

storageinsights.datasetConfigs.list

storageinsights.datasetConfigs.unlinkDataset

storageinsights.locations.*

storageinsights.locations.get
storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

storageinsights.reportDetails.get
storageinsights.reportDetails.list

StorageInsights Service Agent

(roles/storageinsights.serviceAgent)

Permissions for Insights to write reports into customer project

bigquery.datasets.create

serviceusage.services.use

storageinsights.reportDetails.list

Storage Insights Viewer

(roles/storageinsights.viewer)

Read-only access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.list

storageinsights.locations.*

storageinsights.locations.get
storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

storageinsights.reportDetails.get
storageinsights.reportDetails.list

Rôles de base

Les rôles de base existaient avant IAM. Ces rôles ont des caractéristiques uniques :

Les rôles de base ne peuvent être accordés que pour un projet entier, et non pour certains buckets du projet. Comme les autres rôles que vous accordez pour un projet, les rôles de base s'appliquent à tous les buckets et objets du projet.
Les rôles de base contiennent des autorisations supplémentaires pour d'autres services Google Cloudqui ne sont pas traités dans cette section. Pour en savoir plus sur les autorisations accordées par les rôles de base, consultez la section Rôles de base.
Chaque rôle de base possède une valeur d'usage qui vous permet d'utiliser le rôle de base comme s'il s'agissait d'un groupe. Lorsqu'il est utilisé de cette manière, toute entité principale disposant du rôle de base est considérée comme faisant partie du groupe. Tous les membres du groupe obtiennent un accès supplémentaire aux ressources en fonction du niveau d'accès dont ils disposent.
- Les valeurs pratiques peuvent être utilisées lors de l'attribution de rôles pour des buckets.
- Les valeurs d'usage peuvent être utilisées lors de la définition de LCA sur des objets.
Les rôles de base n'accordent pas naturellement un accès aux ressources Cloud Storage, comme leurs noms peuvent suggérer. À la place, ils fournissent une partie de l'accès attendu de manière intrinsèque, et le reste de l'accès attendu, à l'aide de valeurs d'usage. Étant donné que les valeurs d'usage peuvent être ajoutées manuellement ou supprimées comme n'importe quel autre entité principale IAM, il est possible de révoquer l'accès que les entités principales pourraient autrement s'attendre à avoir.

Pour en savoir plus sur l'accès supplémentaire que les entités principales bénéficiant de rôles de base obtiennent généralement en raison de ces valeurs d'usage, consultez la section Comportement modifiable.

Autorisations intrinsèques

Le tableau suivant décrit les autorisations Cloud Storage qui sont toujours associées à chaque rôle de base.

Rôle Description Autorisations Cloud Storage

Lecteur (roles/viewer) Octroie l'autorisation de répertorier les buckets du projet, d'afficher leurs métadonnées lors de la création d'une liste (à l'exclusion des LCA), ainsi que de répertorier et d'obtenir les clés HMAC du projet. storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.get
storage.hmacKeys.list

Éditeur (roles/editor) Octroie l'autorisation de créer, de répertorier et de supprimer des buckets dans le projet, d'afficher leurs métadonnées lors de la création d'une liste (à l'exclusion des LCA), ainsi que de contrôler les clés HMAC du projet. storage.buckets.create
storage.buckets.delete
storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.*

Rôle	Description	Autorisations Cloud Storage
Lecteur (`roles/viewer`)	Octroie l'autorisation de répertorier les buckets du projet, d'afficher leurs métadonnées lors de la création d'une liste (à l'exclusion des LCA), ainsi que de répertorier et d'obtenir les clés HMAC du projet.	`storage.buckets.getIpFilter` `storage.buckets.list` `storage.hmacKeys.get` `storage.hmacKeys.list`
Éditeur (`roles/editor`)	Octroie l'autorisation de créer, de répertorier et de supprimer des buckets dans le projet, d'afficher leurs métadonnées lors de la création d'une liste (à l'exclusion des LCA), ainsi que de contrôler les clés HMAC du projet.	`storage.buckets.create` `storage.buckets.delete` `storage.buckets.getIpFilter` `storage.buckets.list` `storage.hmacKeys.*`
Propriétaire (`roles/owner`)	Octroie l'autorisation de créer, de répertorier et de supprimer des buckets dans le projet, d'afficher les métadonnées des buckets lors de la création d'une liste (à l'exclusion des LCA), de créer, supprimer et répertorier des liaisons de tags, et de contrôler les clés HMAC du projet. Permet également d'activer, de désactiver, de mettre à jour et d'obtenir la configuration Storage Intelligence d'un projet, d'un dossier ou d'une organisation. Plus généralement, dans Google Cloud , les entités principales dotées de ce rôle peuvent effectuer des tâches administratives, telles que la modification des rôles des entités principales pour le projet ou la modification de la facturation.	`storage.buckets.create` `storage.buckets.delete` `storage.buckets.list` `storage.buckets.createTagBinding` `storage.buckets.deleteTagBinding` `storage.buckets.getIpFilter` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.setIpFilter` `storage.hmacKeys.*` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update`

Propriétaire (roles/owner)

Octroie l'autorisation de créer, de répertorier et de supprimer des buckets dans le projet, d'afficher les métadonnées des buckets lors de la création d'une liste (à l'exclusion des LCA), de créer, supprimer et répertorier des liaisons de tags, et de contrôler les clés HMAC du projet. Permet également d'activer, de désactiver, de mettre à jour et d'obtenir la configuration Storage Intelligence d'un projet, d'un dossier ou d'une organisation.

Plus généralement, dans Google Cloud , les entités principales dotées de ce rôle peuvent effectuer des tâches administratives, telles que la modification des rôles des entités principales pour le projet ou la modification de la facturation.

storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.getIpFilter
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIpFilter
storage.hmacKeys.*
storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

Comportement modifiable

Les comptes principaux avec des rôles de base disposent souvent d'un accès supplémentaire aux buckets et aux objets d'un projet en raison des valeurs d'usage. Lors de la création d'un bucket, des valeurs d'usage sont accordées à certains buckets. Toutefois, vous pouvez modifier vos stratégies IAM de bucket et vos LCA d'objet pour supprimer ou modifier l'accès.

Lorsque vous créez un bucket pour lequel l'accès uniforme au niveau du bucket est activé, l'accès suivant est accordé via des valeurs d'usage :

Les comptes principaux ayant le rôle roles/viewer obtiennent les rôles roles/storage.legacyBucketReader et roles/storage.legacyObjectReader pour le bucket.
Les comptes principaux ayant le rôle roles/editor obtiennent les rôles roles/storage.legacyBucketOwner et roles/storage.legacyObjectOwner pour le bucket
Les comptes principaux ayant le rôle roles/owner obtiennent les rôles roles/storage.legacyBucketOwner et roles/storage.legacyObjectOwner pour le bucket.

Lorsque vous créez un bucket pour lequel l'accès uniforme au niveau du bucket n'est pas activé, l'accès suivant est accordé à l'aide des valeurs d'usage :

Les comptes principaux ayant le rôle roles/viewer obtiennent le rôle roles/storage.legacyBucketReader pour le bucket.
Les comptes principaux ayant le rôle roles/editor obtiennent le rôle roles/storage.legacyBucketOwner pour le bucket.
Les comptes principaux ayant le rôle roles/owner obtiennent le rôle roles/storage.legacyBucketOwner pour le bucket.
De plus, le bucket dispose d'une Liste de contrôle d'accès (LCA) d'objet par défaut. Cette LCA par défaut est souvent appliquée aux nouveaux objets du bucket et accorde souvent un accès supplémentaire aux valeurs d'usage.

Rôles personnalisés

Vous pouvez définir vos propres rôles. Ils regroupent les autorisations que vous spécifiez. Pour ce faire, IAM propose des rôles personnalisés.

Étape suivante

Utilisez les autorisations IAM pour contrôler l'accès aux buckets et aux objets.
Apprenez-en plus sur chaque autorisation IAM pour Cloud Storage.
Consultez les références IAM disponibles pour Cloud Storage, telles que les autorisations IAM qui permettent aux utilisateurs d'effectuer des actions avec divers outils et API.
Pour en savoir plus sur les autres rôles Google Cloud , consultez Comprendre les rôles.

Rôles IAM pour Cloud Storage Restez organisé à l'aide des collections Enregistrez et classez les contenus selon vos préférences.

Rôles prédéfinis

Storage Admin

Storage Bucket Viewer Beta

Storage Express Mode Service Input Beta

Storage Express Mode Service Output Beta

Storage Express Mode User Access Beta

Storage Folder Admin

Storage HMAC Key Admin

Storage Insights Collector Service

Storage Legacy Bucket Owner

Storage Legacy Bucket Reader

Storage Legacy Bucket Writer

Storage Legacy Object Owner

Storage Legacy Object Reader

Storage Object Admin

Storage Object Creator

Storage Object User

Storage Object Viewer

Rôles Storage Insights prédéfinis

Storage Insights Admin

Storage Insights Analyst

StorageInsights Service Agent

Storage Insights Viewer

Rôles de base

Autorisations intrinsèques

Comportement modifiable

Rôles personnalisés

Étape suivante

Rôles IAM pour Cloud Storage

Storage Bucket Viewer ^Beta

Storage Express Mode Service Input ^Beta

Storage Express Mode Service Output ^Beta

Storage Express Mode User Access ^Beta