Stay organized with collections
Save and categorize content based on your preferences.
Most of the operations you perform in Cloud Storage must be
authenticated. The only exceptions are operations on resources that allow
anonymous access. A resource has anonymous access if the allUsers group is
included in the ACL for the resource or if the allUsers group is included in
an IAM policy that applies to the resource. The allUsers group
includes anyone on the Internet.
Authorization is the process of determining what permissions an authenticated
identity has on a set of specified resources. OAuth 2.0 uses scopes to
determine if an authenticated identity is authorized. Applications use a
credential (obtained from a user-centric or server-centric authentication flow)
together with one or more scopes to request an access token from a Google
authorization server to access protected resources. For example, application A
with an access token with read-only scope can only read, while application B
with an access token with read-write scope can read and modify data. Neither
application can read or modify access control lists on objects and buckets;
only an application with full-control scope can do so.
Type
Description
Scope URL
read-only
Only allows access to read data, including listing buckets.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["# Cloud Storage OAuth 2.0 scopes\n\nMost of the operations you perform in Cloud Storage must be\nauthenticated. The only exceptions are operations on resources that allow\nanonymous access. A resource has anonymous access if the `allUsers` group is\nincluded in the ACL for the resource or if the `allUsers` group is included in\nan IAM policy that applies to the resource. The `allUsers` group\nincludes anyone on the Internet.\n\nAuthorization is the process of determining what permissions an authenticated\nidentity has on a set of specified resources. OAuth 2.0 uses *scopes* to\ndetermine if an authenticated identity is authorized. Applications use a\ncredential (obtained from a user-centric or server-centric authentication flow)\ntogether with one or more scopes to request an access token from a Google\nauthorization server to access protected resources. For example, application A\nwith an access token with `read-only` scope can only read, while application B\nwith an access token with `read-write` scope can read and modify data. Neither\napplication can read or modify access control lists on objects and buckets;\nonly an application with `full-control` scope can do so."]]