Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Cloud Storage roles and permissions

This page lists the IAM roles and permissions for Cloud Storage. To search through all roles and permissions, see the role and permission index.

Cloud Storage roles

Role Permissions

Role	Permissions
Storage Admin (`roles/storage.admin`) Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. Lowest-level resources where you can grant this role: Bucket	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `firebase.projects.get` `monitoring.timeSeries.create` `orgpolicy.policy.get` `recommender.iamPolicyInsights.` `recommender.iamPolicyInsights.get` `recommender.iamPolicyInsights.list` `recommender.iamPolicyInsights.update` `recommender.iamPolicyRecommendations.` `recommender.iamPolicyRecommendations.get` `recommender.iamPolicyRecommendations.list` `recommender.iamPolicyRecommendations.update` `recommender.storageBucketSoftDeleteInsights.` `recommender.storageBucketSoftDeleteInsights.get` `recommender.storageBucketSoftDeleteInsights.list` `recommender.storageBucketSoftDeleteInsights.update` `recommender.storageBucketSoftDeleteRecommendations.` `recommender.storageBucketSoftDeleteRecommendations.get` `recommender.storageBucketSoftDeleteRecommendations.list` `recommender.storageBucketSoftDeleteRecommendations.update` `resourcemanager.hierarchyNodes.listEffectiveTags` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.` `storage.buckets.create` `storage.buckets.createTagBinding` `storage.buckets.delete` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.getObjectInsights` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.buckets.viewIntelligenceDetails` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.intelligenceConfigs.` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext` `storagebatchoperations.` `storagebatchoperations.bucketOperations.get` `storagebatchoperations.bucketOperations.list` `storagebatchoperations.jobs.cancel` `storagebatchoperations.jobs.create` `storagebatchoperations.jobs.delete` `storagebatchoperations.jobs.get` `storagebatchoperations.jobs.list` `storagebatchoperations.locations.get` `storagebatchoperations.locations.list` `storagebatchoperations.operations.cancel` `storagebatchoperations.operations.delete` `storagebatchoperations.operations.get` `storagebatchoperations.operations.list`
Storage Bucket Viewer ^Beta (`roles/storage.bucketViewer`) Grants permission to view buckets and their metadata, excluding IAM policies.	`storage.buckets.get` `storage.buckets.list`
Storage Editor (`roles/storage.editor`) Editor role for storage	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.create` `storage.buckets.delete` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.viewIntelligenceDetails` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.hmacKeys.` `storage.hmacKeys.create` `storage.hmacKeys.delete` `storage.hmacKeys.get` `storage.hmacKeys.list` `storage.hmacKeys.update` `storage.intelligenceConfigs.get`
Storage Folder Admin (`roles/storage.folderAdmin`) Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext`
Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.createTagBinding` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.*` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.list` `storage.objects.restore` `storage.objects.setRetention` `storage.objects.updateContext`
Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.buckets.get` `storage.folders.get` `storage.folders.list` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.list` `storage.objects.list`
Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.buckets.get` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.list` `storage.objects.restore` `storage.objects.setRetention`
Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Grants permission to view and edit objects and their metadata, including ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.objects.createContext` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.overrideUnlockedRetention` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext`
Storage Legacy Object Reader (`roles/storage.legacyObjectReader`) Grants permission to view objects and their metadata, excluding ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.objects.get`
Storage Object Admin (`roles/storage.objectAdmin`) Grants full control of objects, including listing, creating, viewing, and deleting objects. Lowest-level resources where you can grant this role: Bucket	`monitoring.timeSeries.create` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.*` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update` `storage.objects.updateContext`
Storage Object Creator (`roles/storage.objectCreator`) Allows users to create objects. Does not give permission to view, delete, or overwrite objects. Lowest-level resources where you can grant this role: Bucket	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.create` `storage.managedFolders.create` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.createContext`
Storage Object User (`roles/storage.objectUser`) Access to create, read, update and delete objects and multipart uploads in GCS.	`monitoring.timeSeries.create` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.createContext` `storage.objects.delete` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.list` `storage.objects.move` `storage.objects.restore` `storage.objects.update` `storage.objects.updateContext`
Storage Object Viewer (`roles/storage.objectViewer`) Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. Lowest-level resources where you can grant this role: Bucket	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.get` `storage.folders.list` `storage.managedFolders.get` `storage.managedFolders.list` `storage.objects.get` `storage.objects.list`
Storage Viewer (`roles/storage.viewer`) Viewer role for storage	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.viewIntelligenceDetails` `storage.folders.get` `storage.folders.list` `storage.hmacKeys.get` `storage.hmacKeys.list` `storage.intelligenceConfigs.get`
Storage Annotation Generator Service ^Beta (`roles/storage.annotationGeneratorService`) Grants all permissions needed to generate annotations for objects in a bucket.	`storage.objects.createContext` `storage.objects.deleteContext` `storage.objects.get` `storage.objects.list` `storage.objects.update` `storage.objects.updateContext`
Storage Express Mode Service Input ^Beta (`roles/storage.expressModeServiceInput`) Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.	`storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.update`
Storage Express Mode Service Output ^Beta (`roles/storage.expressModeServiceOutput`) Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.	`storage.objects.delete` `storage.objects.get` `storage.objects.list`
Storage Express Mode User Access ^Beta (`roles/storage.expressModeUserAccess`) Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.	`orgpolicy.policy.get` `storage.buckets.get` `storage.buckets.list` `storage.multipartUploads.*` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.restore` `storage.objects.update`
Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Full control of Cloud Storage HMAC keys.	`firebase.projects.get` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.hmacKeys.*` `storage.hmacKeys.create` `storage.hmacKeys.delete` `storage.hmacKeys.get` `storage.hmacKeys.list` `storage.hmacKeys.update`
Storage Insights Collector Service (`roles/storage.insightsCollectorService`) Read-only access to Cloud Storage Inventory metadata for Storage Insights.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.get` `storage.buckets.getObjectInsights`

Storage Admin

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

Bucket

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

firebase.projects.get

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.buckets.viewIntelligenceDetails

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext

storagebatchoperations.*

storagebatchoperations.bucketOperations.get
storagebatchoperations.bucketOperations.list
storagebatchoperations.jobs.cancel
storagebatchoperations.jobs.create
storagebatchoperations.jobs.delete
storagebatchoperations.jobs.get
storagebatchoperations.jobs.list
storagebatchoperations.locations.get
storagebatchoperations.locations.list
storagebatchoperations.operations.cancel
storagebatchoperations.operations.delete
storagebatchoperations.operations.get
storagebatchoperations.operations.list

Storage Bucket Viewer ^Beta

(roles/storage.bucketViewer)

Grants permission to view buckets and their metadata, excluding IAM policies.

storage.buckets.get

storage.buckets.list

Storage Editor

(roles/storage.editor)

Editor role for storage

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

storage.buckets.delete

storage.buckets.list

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.viewIntelligenceDetails

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.hmacKeys.*

storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update

storage.intelligenceConfigs.get

Storage Folder Admin

(roles/storage.folderAdmin)

Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext

Storage Legacy Bucket Owner

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.getIpFilter

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.relocate

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.setIpFilter

storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.createContext

storage.objects.delete

storage.objects.deleteContext

storage.objects.list

storage.objects.restore

storage.objects.setRetention

storage.objects.updateContext

Storage Legacy Bucket Reader

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.list

Storage Legacy Bucket Writer

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.createContext

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

Storage Legacy Object Owner

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.createContext

storage.objects.deleteContext

storage.objects.get

storage.objects.getIamPolicy

storage.objects.overrideUnlockedRetention

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

storage.objects.updateContext

Storage Legacy Object Reader

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

Storage Object Admin

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

Bucket

monitoring.timeSeries.create

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.createContext
storage.objects.delete
storage.objects.deleteContext
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
storage.objects.updateContext

Storage Object Creator

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.create

storage.managedFolders.create

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

storage.objects.createContext

Storage Object User

(roles/storage.objectUser)

Access to create, read, update and delete objects and multipart uploads in GCS.

monitoring.timeSeries.create

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.createContext

storage.objects.delete

storage.objects.deleteContext

storage.objects.get

storage.objects.list

storage.objects.move

storage.objects.restore

storage.objects.update

storage.objects.updateContext

Storage Object Viewer

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

Storage Viewer

(roles/storage.viewer)

Viewer role for storage

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.list

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.viewIntelligenceDetails

storage.folders.get

storage.folders.list

storage.hmacKeys.get

storage.hmacKeys.list

storage.intelligenceConfigs.get

Storage Annotation Generator Service ^Beta

(roles/storage.annotationGeneratorService)

Grants all permissions needed to generate annotations for objects in a bucket.

storage.objects.createContext

storage.objects.deleteContext

storage.objects.get

storage.objects.list

storage.objects.update

storage.objects.updateContext

Storage Express Mode Service Input ^Beta

(roles/storage.expressModeServiceInput)

Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.update

Storage Express Mode Service Output ^Beta

(roles/storage.expressModeServiceOutput)

Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.

storage.objects.delete

storage.objects.get

storage.objects.list

Storage Express Mode User Access ^Beta

(roles/storage.expressModeUserAccess)

Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.

orgpolicy.policy.get

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.restore

storage.objects.update

Storage HMAC Key Admin

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update

Storage Insights Collector Service

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

Cloud Storage permissions

Permission	Included in roles
`storage.anywhereCaches.create`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.anywhereCaches.disable`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.anywhereCaches.get`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.anywhereCaches.list`	Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Security Auditor (`roles/iam.securityAuditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.anywhereCaches.pause`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.anywhereCaches.resume`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.anywhereCaches.update`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.bucketOperations.cancel`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.bucketOperations.get`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.bucketOperations.list`	Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Security Auditor (`roles/iam.securityAuditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Firebase Admin (`roles/firebase.admin`) CA Service Admin (`roles/privateca.admin`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Velostrata Manager (`roles/cloudmigration.inframanager`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) CA Service Operation Manager (`roles/privateca.caManager`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. AI Edge Portal Service Agent (`roles/aiedgeportal.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine Standard Environment Service Agent (`roles/appengine.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.createTagBinding`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Tag User (`roles/resourcemanager.tagUser`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Velostrata Manager (`roles/cloudmigration.inframanager`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.deleteTagBinding`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Tag User (`roles/resourcemanager.tagUser`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.enableObjectRetention`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.get`	Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Dataflow Admin (`roles/dataflow.admin`) Firebase Admin (`roles/firebase.admin`) Firebase Editor (`roles/firebase.editor`) Firebase Viewer (`roles/firebase.viewer`) Storage Admin (`roles/storage.admin`) Storage Bucket Viewer (`roles/storage.bucketViewer`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Velostrata Manager (`roles/cloudmigration.inframanager`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataflow Worker (`roles/dataflow.worker`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Storage Insights Collector Service (`roles/storage.insightsCollectorService`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. AI Edge Portal Service Agent (`roles/aiedgeportal.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine Standard Environment Service Agent (`roles/appengine.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Chronicle SOAR Service Agent (`roles/chronicle.soarServiceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataplex Discovery Service Agent (`roles/dataplex.discoveryServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Generative Language Service Agent (`roles/generativelanguage.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Google Cloud Security Response Service Agent (`roles/securitycenter.securityResponseServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Vector Search Service Agent (`roles/vectorsearch.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.getIamPolicy`	Firebase Admin (`roles/firebase.admin`) Firebase Editor (`roles/firebase.editor`) Firebase Viewer (`roles/firebase.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Chronicle SOAR Service Agent (`roles/chronicle.soarServiceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.getIpFilter`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.getObjectInsights`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Storage Insights Collector Service (`roles/storage.insightsCollectorService`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Firebase Admin (`roles/firebase.admin`) Firebase Editor (`roles/firebase.editor`) Firebase Viewer (`roles/firebase.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Bucket Viewer (`roles/storage.bucketViewer`) Storage Editor (`roles/storage.editor`) Storage Viewer (`roles/storage.viewer`) Workload Manager Admin (`roles/workloadmanager.admin`) Velostrata Manager (`roles/cloudmigration.inframanager`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Workload Manager Deployment Admin (`roles/workloadmanager.deploymentAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. AI Edge Portal Service Agent (`roles/aiedgeportal.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Chronicle SOAR Service Agent (`roles/chronicle.soarServiceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Firebase Admin (`roles/firebase.admin`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Viewer (`roles/storage.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Firebase Admin (`roles/firebase.admin`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Viewer (`roles/storage.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.relocate`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.restore`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.setIamPolicy`	Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.setIpFilter`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.update`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Velostrata Manager (`roles/cloudmigration.inframanager`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Chronicle SOAR Service Agent (`roles/chronicle.soarServiceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Google Cloud Security Response Service Agent (`roles/securitycenter.securityResponseServiceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.buckets.viewIntelligenceDetails`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Viewer (`roles/storage.viewer`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.folders.create`	Owner (`roles/owner`) Editor (`roles/editor`) Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.folders.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.folders.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Application Design Center Admin (`roles/designcenter.admin`) Designcenter Editor (`roles/designcenter.editor`) Application Design Center Viewer (`roles/designcenter.viewer`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Storage Viewer (`roles/storage.viewer`) App Management Viewer (`roles/apphub.appManagementViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.folders.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Application Design Center Admin (`roles/designcenter.admin`) Designcenter Editor (`roles/designcenter.editor`) Application Design Center Viewer (`roles/designcenter.viewer`) Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Storage Viewer (`roles/storage.viewer`) App Management Viewer (`roles/apphub.appManagementViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.folders.rename`	Owner (`roles/owner`) Editor (`roles/editor`) Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.hmacKeys.create`	Owner (`roles/owner`) Editor (`roles/editor`) Storage Editor (`roles/storage.editor`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`storage.hmacKeys.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Storage Editor (`roles/storage.editor`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)
`storage.hmacKeys.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Storage Editor (`roles/storage.editor`) Storage Viewer (`roles/storage.viewer`) Support User (`roles/iam.supportUser`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)
`storage.hmacKeys.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Editor (`roles/storage.editor`) Storage Viewer (`roles/storage.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)
`storage.hmacKeys.update`	Owner (`roles/owner`) Editor (`roles/editor`) Storage Editor (`roles/storage.editor`) Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)
`storage.intelligenceConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Editor (`roles/storage.editor`) Storage Viewer (`roles/storage.viewer`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.intelligenceConfigs.update`	Owner (`roles/owner`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.managedFolders.create`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.managedFolders.delete`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.managedFolders.get`	Application Design Center Admin (`roles/designcenter.admin`) Designcenter Editor (`roles/designcenter.editor`) Application Design Center Viewer (`roles/designcenter.viewer`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) App Management Viewer (`roles/apphub.appManagementViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.managedFolders.getIamPolicy`	Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.managedFolders.list`	Application Design Center Admin (`roles/designcenter.admin`) Designcenter Editor (`roles/designcenter.editor`) Application Design Center Viewer (`roles/designcenter.viewer`) Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) App Management Viewer (`roles/apphub.appManagementViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.managedFolders.setIamPolicy`	Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Firebase Develop Admin (`roles/firebase.developAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.multipartUploads.abort`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.multipartUploads.create`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.multipartUploads.list`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.multipartUploads.listParts`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.create`	Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Dataflow Admin (`roles/dataflow.admin`) Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Firebase Rules System (`roles/firebaserules.system`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Task Worker (`roles/bigquerymigration.worker`) Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataflow Worker (`roles/dataflow.worker`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Express Mode Service Input (`roles/storage.expressModeServiceInput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. AI Edge Portal Service Agent (`roles/aiedgeportal.serviceAgent`) Vertex AI Agent Sandbox Service Agent (`roles/aiplatform.agentSandboxServiceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Customer Engagement Suite Service Agent (`roles/ces.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Vector Search Service Agent (`roles/vectorsearch.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.createContext`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object Creator (`roles/storage.objectCreator`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Annotation Generator Service (`roles/storage.annotationGeneratorService`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.delete`	Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Firebase Rules System (`roles/firebaserules.system`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Storage Express Mode Service Input (`roles/storage.expressModeServiceInput`) Storage Express Mode Service Output (`roles/storage.expressModeServiceOutput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. AI Edge Portal Service Agent (`roles/aiedgeportal.serviceAgent`) Vertex AI Agent Sandbox Service Agent (`roles/aiplatform.agentSandboxServiceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Customer Engagement Suite Service Agent (`roles/ces.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.deleteContext`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Storage Annotation Generator Service (`roles/storage.annotationGeneratorService`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.get`	Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Dataflow Admin (`roles/dataflow.admin`) Application Design Center Admin (`roles/designcenter.admin`) Designcenter Editor (`roles/designcenter.editor`) Application Design Center Viewer (`roles/designcenter.viewer`) Firebase Admin (`roles/firebase.admin`) Firebase Editor (`roles/firebase.editor`) Firebase Viewer (`roles/firebase.viewer`) Firebase Rules System (`roles/firebaserules.system`) Cloud Run Builder (`roles/run.builder`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Legacy Object Reader (`roles/storage.legacyObjectReader`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) App Management Viewer (`roles/apphub.appManagementViewer`) Container Registry -> Artifact Registry Migration Admin (`roles/artifactregistry.containerRegistryMigrationAdmin`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Task Worker (`roles/bigquerymigration.worker`) Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Cloud Hub Operator (`roles/cloudhub.operator`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Firebase Test Lab Viewer (`roles/cloudtestservice.testViewer`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataflow Worker (`roles/dataflow.worker`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Storage Annotation Generator Service (`roles/storage.annotationGeneratorService`) Storage Express Mode Service Output (`roles/storage.expressModeServiceOutput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. AI Edge Portal Service Agent (`roles/aiedgeportal.serviceAgent`) Vertex AI Agent Sandbox Service Agent (`roles/aiplatform.agentSandboxServiceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Extension Service Agent (`roles/aiplatform.extensionServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Customer Engagement Suite Service Agent (`roles/ces.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Compliance Scanning Service Agent (`roles/compliancescanning.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) [Deprecated] Kubernetes Engine Node Service Agent (`roles/container.nodeServiceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Container Scanner Service Agent (`roles/containerscanning.ServiceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataplex Discovery Service Agent (`roles/dataplex.discoveryServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Generative Language Service Agent (`roles/generativelanguage.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Managed Flink Service Agent (`roles/managedflink.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Migration Center Service Agent (`roles/migrationcenter.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Vector Search Service Agent (`roles/vectorsearch.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.getIamPolicy`	Firebase Admin (`roles/firebase.admin`) Firebase Editor (`roles/firebase.editor`) Firebase Viewer (`roles/firebase.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.list`	Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Dataflow Admin (`roles/dataflow.admin`) Application Design Center Admin (`roles/designcenter.admin`) Designcenter Editor (`roles/designcenter.editor`) Application Design Center Viewer (`roles/designcenter.viewer`) Firebase Admin (`roles/firebase.admin`) Firebase Editor (`roles/firebase.editor`) Firebase Viewer (`roles/firebase.viewer`) Firebase Rules System (`roles/firebaserules.system`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Storage Object Viewer (`roles/storage.objectViewer`) Workload Manager Admin (`roles/workloadmanager.admin`) App Management Viewer (`roles/apphub.appManagementViewer`) Container Registry -> Artifact Registry Migration Admin (`roles/artifactregistry.containerRegistryMigrationAdmin`) Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Task Orchestrator (`roles/bigquerymigration.orchestrator`) Task Worker (`roles/bigquerymigration.worker`) Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Cloud Hub Operator (`roles/cloudhub.operator`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Firebase Test Lab Viewer (`roles/cloudtestservice.testViewer`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Environment and Storage Object User (`roles/composer.environmentAndStorageObjectUser`) Environment and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Storage Annotation Generator Service (`roles/storage.annotationGeneratorService`) Storage Express Mode Service Input (`roles/storage.expressModeServiceInput`) Storage Express Mode Service Output (`roles/storage.expressModeServiceOutput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Workload Manager Deployment Admin (`roles/workloadmanager.deploymentAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Agent Sandbox Service Agent (`roles/aiplatform.agentSandboxServiceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Compliance Scanning Service Agent (`roles/compliancescanning.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) [Deprecated] Kubernetes Engine Node Service Agent (`roles/container.nodeServiceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Container Scanner Service Agent (`roles/containerscanning.ServiceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Dataplex Discovery Service Agent (`roles/dataplex.discoveryServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Firestore Service Agent (`roles/firestore.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Serverless Integrations Service Agent (`roles/runapps.serviceAgent`) SaaS Service Management Service Agent (`roles/saasservicemgmt.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Stream Service Agent (`roles/stream.serviceAgent`) Vector Search Service Agent (`roles/vectorsearch.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.move`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.overrideUnlockedRetention`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Firebase Develop Admin (`roles/firebase.developAdmin`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.restore`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.setIamPolicy`	Firebase Admin (`roles/firebase.admin`) Security Admin (`roles/iam.securityAdmin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Firebase Develop Admin (`roles/firebase.developAdmin`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.setRetention`	Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.update`	Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Firebase Rules System (`roles/firebaserules.system`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Velostrata Storage Access (`roles/cloudmigration.storageaccess`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Storage Annotation Generator Service (`roles/storage.annotationGeneratorService`) Storage Express Mode Service Input (`roles/storage.expressModeServiceInput`) Storage Express Mode User Access (`roles/storage.expressModeUserAccess`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Customer Engagement Suite Service Agent (`roles/ces.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DesignCenter Service Agent (`roles/designcenter.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Cluster Director Service Agent (`roles/hypercomputecluster.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Live Stream Service Agent (`roles/livestream.serviceAgent`) Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Route Optimization Service Agent (`roles/routeoptimization.serviceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)
`storage.objects.updateContext`	Application Design Center Admin (`roles/designcenter.admin`) Firebase Admin (`roles/firebase.admin`) Storage Admin (`roles/storage.admin`) Storage Folder Admin (`roles/storage.folderAdmin`) Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Storage Object Admin (`roles/storage.objectAdmin`) Storage Object User (`roles/storage.objectUser`) Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Composer Worker (`roles/composer.worker`) Dataproc Worker (`roles/dataproc.worker`) Application Design Center User (`roles/designcenter.user`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Storage Annotation Generator Service (`roles/storage.annotationGeneratorService`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataproc Service Agent (`roles/dataproc.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`)

Cloud Storage roles and permissions

Cloud Storage roles

Storage Admin

Storage Bucket Viewer Beta

Storage Editor

Storage Folder Admin

Storage Legacy Bucket Owner

Storage Legacy Bucket Reader

Storage Legacy Bucket Writer

Storage Legacy Object Owner

Storage Legacy Object Reader

Storage Object Admin

Storage Object Creator

Storage Object User

Storage Object Viewer

Storage Viewer

Storage Annotation Generator Service Beta

Storage Express Mode Service Input Beta

Storage Express Mode Service Output Beta

Storage Express Mode User Access Beta

Storage HMAC Key Admin

Storage Insights Collector Service

Cloud Storage permissions

storage.anywhereCaches.create

storage.anywhereCaches.disable

storage.anywhereCaches.get

storage.anywhereCaches.list

storage.anywhereCaches.pause

storage.anywhereCaches.resume

storage.anywhereCaches.update

storage.bucketOperations.cancel

storage.bucketOperations.get

storage.bucketOperations.list

storage.buckets.create

storage.buckets.createTagBinding

storage.buckets.delete

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.getIpFilter

storage.buckets.getObjectInsights

storage.buckets.list

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.relocate

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.setIpFilter

storage.buckets.update

storage.buckets.viewIntelligenceDetails

storage.folders.create

storage.folders.delete

storage.folders.get

storage.folders.list

storage.folders.rename

storage.hmacKeys.create

storage.hmacKeys.delete

storage.hmacKeys.get

storage.hmacKeys.list

storage.hmacKeys.update

storage.intelligenceConfigs.get

storage.intelligenceConfigs.update

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.getIamPolicy

storage.managedFolders.list

storage.managedFolders.setIamPolicy

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.list

storage.multipartUploads.listParts

storage.objects.create

storage.objects.createContext

storage.objects.delete

storage.objects.deleteContext

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

Storage Bucket Viewer ^Beta

Storage Annotation Generator Service ^Beta

Storage Express Mode Service Input ^Beta

Storage Express Mode Service Output ^Beta

Storage Express Mode User Access ^Beta

`storage.anywhereCaches.create`

`storage.anywhereCaches.disable`

`storage.anywhereCaches.get`

`storage.anywhereCaches.list`

`storage.anywhereCaches.pause`

`storage.anywhereCaches.resume`

`storage.anywhereCaches.update`

`storage.bucketOperations.cancel`

`storage.bucketOperations.get`

`storage.bucketOperations.list`

`storage.buckets.create`

`storage.buckets.createTagBinding`

`storage.buckets.delete`

`storage.buckets.deleteTagBinding`

`storage.buckets.enableObjectRetention`

`storage.buckets.get`

`storage.buckets.getIamPolicy`

`storage.buckets.getIpFilter`

`storage.buckets.getObjectInsights`

`storage.buckets.list`

`storage.buckets.listEffectiveTags`

`storage.buckets.listTagBindings`

`storage.buckets.relocate`

`storage.buckets.restore`

`storage.buckets.setIamPolicy`

`storage.buckets.setIpFilter`

`storage.buckets.update`

`storage.buckets.viewIntelligenceDetails`

`storage.folders.create`

`storage.folders.delete`

`storage.folders.get`

`storage.folders.list`

`storage.folders.rename`

`storage.hmacKeys.create`

`storage.hmacKeys.delete`

`storage.hmacKeys.get`

`storage.hmacKeys.list`

`storage.hmacKeys.update`

`storage.intelligenceConfigs.get`

`storage.intelligenceConfigs.update`

`storage.managedFolders.create`

`storage.managedFolders.delete`

`storage.managedFolders.get`

`storage.managedFolders.getIamPolicy`

`storage.managedFolders.list`

`storage.managedFolders.setIamPolicy`

`storage.multipartUploads.abort`

`storage.multipartUploads.create`

`storage.multipartUploads.list`

`storage.multipartUploads.listParts`

`storage.objects.create`

`storage.objects.createContext`

`storage.objects.delete`

`storage.objects.deleteContext`

`storage.objects.get`

`storage.objects.getIamPolicy`

`storage.objects.list`

`storage.objects.move`

`storage.objects.overrideUnlockedRetention`

`storage.objects.restore`

`storage.objects.setIamPolicy`

`storage.objects.setRetention`

`storage.objects.update`

`storage.objects.updateContext`