Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of managed folders in Cloud Storage.
Managed folders are a type of folder on which you can grant IAM
roles, so you have more fine-grained access control over specific groups of
objects within a bucket. Managed folders exist as resources within
Cloud Storage and are different from
simulated folders, which operate with a flat namespace.
IAM for managed folders
When you apply an IAM policy on a managed folder, the access
granted in the policy also applies to any object within that bucket that has the
managed folder's name as a prefix. For example, if you grant a principal the
Storage Object Viewer (roles/storage.objectViewer) role on a managed folder
named example-bucket/example-managed-folder/, the principal can view any
object within example-managed-folder (such as
example-bucket/example-managed-folder/example-object.txt).
When you nest managed folders, the permissions granted through
IAM policies are applied additively.
Managed folders can only be created in buckets that have uniform bucket-level access
enabled.
Read the following pages for more information about managed folders:
Managed folder names must end with /. At most, a managed folder name can
have 15 /s. In other words, managed folders can be nested up to 15 levels
deep.
Managed folder names cannot start with .well-known/acme-challenge/.
Managed folders cannot be named . or ...
It is strongly recommended that you avoid the following in your managed folder
names:
Control characters that are illegal in XML 1.0
(#x7F–#x84 and #x86–#x9F): these characters cause XML listing
issues when you try to list your managed folders.
The [, ], *, or ? characters: the Google Cloud CLI interprets
these characters as wildcards, so including them in managed folder names can
make it difficult or impossible to perform wildcard operations with the
tool. Additionally, * and ? are not valid characters for file names in
Windows.
Sensitive or personally identifiable information (PII): managed folder names
are more broadly visible than object data. For example, managed folder names
appear in URLs for the object and when listing objects in a bucket.
Considerations
When working with managed folders, note the following considerations:
Managed folders can be created in place of simulated folders, which means
that you can create a managed folder and name it after an object's prefix, as
long as there isn't already a managed folder using that name. For example, you
can create a managed folder named my-folder/, even if you have an existing
object named my-folder/object.txt. Note that the IAM policy
on the managed folder my-folder/ will then apply to all objects that has
my-folder/ as a name prefix.
You can create child managed folders before the parent managed folder is
created. For example, you can create a managed folder named
my-folder-A/my-folder-B/ without first creating a managed folder named
my-folder-A/.
By default, you can't delete a non-empty managed folder that contains objects
or other child managed folders. You can bypass this rule when using the
allowNonEmpty parameter in a Delete ManagedFolder JSON API request.
Managed folder names are visible in error messages and Cloud Audit Logs when a
request to delete a folder that has a managed folder at the same path
fails, even without explicit storage.managedFolders.get or
storage.managedFolders.list permissions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Managed folders\n\nThis page provides an overview of managed folders in Cloud Storage.\nManaged folders are a type of folder on which you can grant IAM\nroles, so you have more fine-grained access control over specific groups of\nobjects within a bucket. Managed folders exist as resources within\nCloud Storage and are different from\n[simulated folders](/storage/docs/objects#simulated-folders), which operate with a flat namespace.\n\nIAM for managed folders\n-----------------------\n\nWhen you apply an IAM policy on a managed folder, the access\ngranted in the policy also applies to any object within that bucket that has the\nmanaged folder's name as a prefix. For example, if you grant a principal the\nStorage Object Viewer (`roles/storage.objectViewer`) role on a managed folder\nnamed `example-bucket/example-managed-folder/`, the principal can view any\nobject within `example-managed-folder` (such as\n`example-bucket/example-managed-folder/example-object.txt`).\nWhen you nest managed folders, the permissions granted through\nIAM policies are applied additively.\n\nManaged folders can only be created in buckets that have uniform bucket-level access\nenabled.\n\nRead the following pages for more information about managed folders:\n\n- [Creating and managing managed folders](/storage/docs/creating-managing-managed-folders)\n\n- [Control access to managed folders](/storage/docs/access-control/using-iam-for-managed-folders)\n\n- [ManagedFolder reference page](/storage/docs/json_api/v1/managedFolder) for the JSON API\n\nManaged folder names\n--------------------\n\nThe name you give to a managed folder must meet the following requirements:\n\n- Managed folder names can contain any sequence of valid Unicode characters, of\n length 1-1024 bytes when UTF-8 encoded.\n\n- Managed folder names cannot contain\n [Carriage Return or Line Feed characters](https://en.wikipedia.org/wiki/Newline#Unicode).\n\n- Managed folder names must end with `/`. At most, a managed folder name can\n have 15 `/`s. In other words, managed folders can be nested up to 15 levels\n deep.\n\n- Managed folder names cannot start with `.well-known/acme-challenge/`.\n\n- Managed folders cannot be named `.` or `..`.\n\nIt is strongly recommended that you avoid the following in your managed folder\nnames:\n\n- [Control characters](http://www.w3.org/TR/xml/#charsets) that are illegal in XML 1.0\n (#x7F--#x84 and #x86--#x9F): these characters cause XML listing\n issues when you try to list your managed folders.\n\n- The `[`, `]`, `*`, or `?` characters: the Google Cloud CLI interprets\n these characters as wildcards, so including them in managed folder names can\n make it difficult or impossible to perform [wildcard operations](/storage/docs/wildcards) with the\n tool. Additionally, `*` and `?` are not valid characters for file names in\n Windows.\n\n- Sensitive or personally identifiable information (PII): managed folder names\n are more broadly visible than object data. For example, managed folder names\n appear in URLs for the object and when listing objects in a bucket.\n\nConsiderations\n--------------\n\nWhen working with managed folders, note the following considerations:\n\n- Managed folders can be created in place of [simulated folders](/storage/docs/objects#simulated-folders), which means\n that you can create a managed folder and name it after an object's prefix, as\n long as there isn't already a managed folder using that name. For example, you\n can create a managed folder named `my-folder/`, even if you have an existing\n object named `my-folder/object.txt`. Note that the IAM policy\n on the managed folder `my-folder/` will then apply to all objects that has\n `my-folder/` as a name prefix.\n\n- You can create child managed folders before the parent managed folder is\n created. For example, you can create a managed folder named\n `my-folder-A/my-folder-B/` without first creating a managed folder named\n `my-folder-A/`.\n\n- By default, you can't delete a non-empty managed folder that contains objects\n or other child managed folders. You can bypass this rule when using the\n `allowNonEmpty` parameter in a [`Delete` ManagedFolder JSON API request](/storage/docs/json_api/v1/managedFolder/delete).\n\n- Managed folder names are visible in error messages and Cloud Audit Logs when a\n request to delete a [folder](/storage/docs/folders-overview) that has a managed folder at the same path\n fails, even without explicit `storage.managedFolders.get` or\n `storage.managedFolders.list` permissions.\n\nWhat's next\n-----------\n\n- [Create and manage managed folders](/storage/docs/creating-managing-managed-folders).\n\n- Learn about [simulated folders](/storage/docs/objects#simulated-folders).\n\n- [Upload objects](/storage/docs/uploading-objects) to a Cloud Storage bucket."]]
