Cloud Storage OAuth 2.0 scopes

Most of the operations you perform in Cloud Storage must be authenticated. The only exceptions are operations on resources that allow anonymous access. A resource has anonymous access if the allUsers group is included in the ACL for the resource or if the allUsers group is included in an IAM policy that applies to the resource. The allUsers group includes anyone on the Internet.

Authorization is the process of determining what permissions an authenticated identity has on a set of specified resources. OAuth 2.0 uses scopes to determine if an authenticated identity is authorized. Applications use a credential (obtained from a user-centric or server-centric authentication flow) together with one or more scopes to request an access token from a Google authorization server to access protected resources. For example, application A with an access token with read-only scope can only read, while application B with an access token with read-write scope can read and modify data. Neither application can read or modify access control lists on objects and buckets; only an application with full-control scope can do so.

Type Description Scope URL
read-only Only allows access to read data, including listing buckets.
read-write Allows access to read and change data, but not metadata like IAM policies.
full-control Allows full control over data, including the ability to modify IAM policies. View your data across Google Cloud services. For Cloud Storage, this is the same as
cloud-platform View and manage data across all Google Cloud services. For Cloud Storage, this is the same as devstorage.full-control.