このページの一部またはすべての情報は、S3NS の Trusted Cloud に適用されない場合があります。

Cloud Storage に適用される IAM のロール

このドキュメントでは、Cloud Storage の Identity and Access Management（IAM）のロールと権限について説明します。

事前定義ロール

次の表に、Cloud Storage に関係する Identity and Access Management（IAM）ロールと、各ロールに含まれている権限を示します。特に断りのない限り、これらのロールはプロジェクト、バケット、マネージドフォルダのいずれかに適用できます。ただし、以前のロールを付与できるのは個々のバケットに対してのみです。

バケットへのアクセスを制御する方法については、IAM 権限の使用をご覧ください。マネージドフォルダへのアクセスを制御する方法については、マネージドフォルダでの IAM の使用をご覧ください。

Role Permissions

Role	Permissions
Storage Admin (`roles/storage.admin`) Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. Lowest-level resources where you can grant this role: Bucket	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `firebase.projects.get` `monitoring.timeSeries.create` `orgpolicy.policy.get` `recommender.iamPolicyInsights.` `recommender.iamPolicyInsights.get` `recommender.iamPolicyInsights.list` `recommender.iamPolicyInsights.update` `recommender.iamPolicyRecommendations.` `recommender.iamPolicyRecommendations.get` `recommender.iamPolicyRecommendations.list` `recommender.iamPolicyRecommendations.update` `recommender.storageBucketSoftDeleteInsights.` `recommender.storageBucketSoftDeleteInsights.get` `recommender.storageBucketSoftDeleteInsights.list` `recommender.storageBucketSoftDeleteInsights.update` `recommender.storageBucketSoftDeleteRecommendations.` `recommender.storageBucketSoftDeleteRecommendations.get` `recommender.storageBucketSoftDeleteRecommendations.list` `recommender.storageBucketSoftDeleteRecommendations.update` `resourcemanager.hierarchyNodes.listEffectiveTags` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.` `storage.buckets.create` `storage.buckets.createTagBinding` `storage.buckets.delete` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.getObjectInsights` `storage.buckets.list` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.intelligenceConfigs.` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.*` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Bucket Viewer ^Beta (`roles/storage.bucketViewer`) Grants permission to view buckets and their metadata, excluding IAM policies.	`storage.buckets.get` `storage.buckets.list`
Storage Express Mode Service Input ^Beta (`roles/storage.expressModeServiceInput`) Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.	`storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.update`
Storage Express Mode Service Output ^Beta (`roles/storage.expressModeServiceOutput`) Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.	`storage.objects.delete` `storage.objects.get` `storage.objects.list`
Storage Express Mode User Access ^Beta (`roles/storage.expressModeUserAccess`) Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.	`orgpolicy.policy.get` `storage.buckets.get` `storage.buckets.list` `storage.multipartUploads.*` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.restore` `storage.objects.update`
Storage Folder Admin (`roles/storage.folderAdmin`) Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Full control of Cloud Storage HMAC keys.	`firebase.projects.get` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.hmacKeys.*` `storage.hmacKeys.create` `storage.hmacKeys.delete` `storage.hmacKeys.get` `storage.hmacKeys.list` `storage.hmacKeys.update`
Storage Insights Collector Service (`roles/storage.insightsCollectorService`) Read-only access to Cloud Storage Inventory metadata for Storage Insights.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.get` `storage.buckets.getObjectInsights`
Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.anywhereCaches.` `storage.anywhereCaches.create` `storage.anywhereCaches.disable` `storage.anywhereCaches.get` `storage.anywhereCaches.list` `storage.anywhereCaches.pause` `storage.anywhereCaches.resume` `storage.anywhereCaches.update` `storage.bucketOperations.` `storage.bucketOperations.cancel` `storage.bucketOperations.get` `storage.bucketOperations.list` `storage.buckets.createTagBinding` `storage.buckets.deleteTagBinding` `storage.buckets.enableObjectRetention` `storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.getIpFilter` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.relocate` `storage.buckets.restore` `storage.buckets.setIamPolicy` `storage.buckets.setIpFilter` `storage.buckets.update` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.getIamPolicy` `storage.managedFolders.list` `storage.managedFolders.setIamPolicy` `storage.multipartUploads.*` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.restore` `storage.objects.setRetention`
Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.buckets.get` `storage.folders.get` `storage.folders.list` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.list` `storage.objects.list`
Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.buckets.get` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.list` `storage.objects.restore` `storage.objects.setRetention`
Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Grants permission to view and edit objects and their metadata, including ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.overrideUnlockedRetention` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Legacy Object Reader (`roles/storage.legacyObjectReader`) Grants permission to view objects and their metadata, excluding ACLs. Lowest-level resources where you can grant this role: Bucket	`storage.objects.get`
Storage Object Admin (`roles/storage.objectAdmin`) Grants full control of objects, including listing, creating, viewing, and deleting objects. Lowest-level resources where you can grant this role: Bucket	`monitoring.timeSeries.create` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.*` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.getIamPolicy` `storage.objects.list` `storage.objects.move` `storage.objects.overrideUnlockedRetention` `storage.objects.restore` `storage.objects.setIamPolicy` `storage.objects.setRetention` `storage.objects.update`
Storage Object Creator (`roles/storage.objectCreator`) Allows users to create objects. Does not give permission to view, delete, or overwrite objects. Lowest-level resources where you can grant this role: Bucket	`orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.create` `storage.managedFolders.create` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.listParts` `storage.objects.create`
Storage Object User (`roles/storage.objectUser`) Access to create, read, update and delete objects and multipart uploads in GCS.	`monitoring.timeSeries.create` `orgpolicy.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.` `storage.folders.create` `storage.folders.delete` `storage.folders.get` `storage.folders.list` `storage.folders.rename` `storage.managedFolders.create` `storage.managedFolders.delete` `storage.managedFolders.get` `storage.managedFolders.list` `storage.multipartUploads.` `storage.multipartUploads.abort` `storage.multipartUploads.create` `storage.multipartUploads.list` `storage.multipartUploads.listParts` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.move` `storage.objects.restore` `storage.objects.update`
Storage Object Viewer (`roles/storage.objectViewer`) Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. Lowest-level resources where you can grant this role: Bucket	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.folders.get` `storage.folders.list` `storage.managedFolders.get` `storage.managedFolders.list` `storage.objects.get` `storage.objects.list`

Storage Admin

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

Bucket

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

firebase.projects.get

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

recommender.storageBucketSoftDeleteInsights.get
recommender.storageBucketSoftDeleteInsights.list
recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

recommender.storageBucketSoftDeleteRecommendations.get
recommender.storageBucketSoftDeleteRecommendations.list
recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.intelligenceConfigs.*

storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage Bucket Viewer ^Beta

(roles/storage.bucketViewer)

Grants permission to view buckets and their metadata, excluding IAM policies.

storage.buckets.get

storage.buckets.list

Storage Express Mode Service Input ^Beta

(roles/storage.expressModeServiceInput)

Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.update

Storage Express Mode Service Output ^Beta

(roles/storage.expressModeServiceOutput)

Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.

storage.objects.delete

storage.objects.get

storage.objects.list

Storage Express Mode User Access ^Beta

(roles/storage.expressModeUserAccess)

Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.

orgpolicy.policy.get

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.restore

storage.objects.update

Storage Folder Admin

(roles/storage.folderAdmin)

Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage HMAC Key Admin

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update

Storage Insights Collector Service

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

Storage Legacy Bucket Owner

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.anywhereCaches.*

storage.anywhereCaches.create
storage.anywhereCaches.disable
storage.anywhereCaches.get
storage.anywhereCaches.list
storage.anywhereCaches.pause
storage.anywhereCaches.resume
storage.anywhereCaches.update

storage.bucketOperations.*

storage.bucketOperations.cancel
storage.bucketOperations.get
storage.bucketOperations.list

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.getIpFilter

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.relocate

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.setIpFilter

storage.buckets.update

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.*

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.getIamPolicy
storage.managedFolders.list
storage.managedFolders.setIamPolicy

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

Storage Legacy Bucket Reader

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.list

Storage Legacy Bucket Writer

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

Storage Legacy Object Owner

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

storage.objects.getIamPolicy

storage.objects.overrideUnlockedRetention

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

Storage Legacy Object Reader

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

Storage Object Admin

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

Bucket

monitoring.timeSeries.create

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.move
storage.objects.overrideUnlockedRetention
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update

Storage Object Creator

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.create

storage.managedFolders.create

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

Storage Object User

(roles/storage.objectUser)

Access to create, read, update and delete objects and multipart uploads in GCS.

monitoring.timeSeries.create

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

storage.folders.create
storage.folders.delete
storage.folders.get
storage.folders.list
storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.move

storage.objects.restore

storage.objects.update

Storage Object Viewer

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

事前定義された Storage Insights のロール

次の表に、Storage Insights に関連付けられている IAM ロールと、各ロールに含まれている権限を示します。

Role Permissions

Role	Permissions
Storage Insights Admin (`roles/storageinsights.admin`) Full access to Storage Insights resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storageinsights.*` `storageinsights.datasetConfigs.create` `storageinsights.datasetConfigs.delete` `storageinsights.datasetConfigs.get` `storageinsights.datasetConfigs.linkDataset` `storageinsights.datasetConfigs.list` `storageinsights.datasetConfigs.unlinkDataset` `storageinsights.datasetConfigs.update` `storageinsights.locations.get` `storageinsights.locations.list` `storageinsights.operations.cancel` `storageinsights.operations.delete` `storageinsights.operations.get` `storageinsights.operations.list` `storageinsights.reportConfigs.create` `storageinsights.reportConfigs.delete` `storageinsights.reportConfigs.get` `storageinsights.reportConfigs.list` `storageinsights.reportConfigs.update` `storageinsights.reportDetails.get` `storageinsights.reportDetails.list`
Storage Insights Analyst (`roles/storageinsights.analyst`) Data access to Storage Insights.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storageinsights.datasetConfigs.get` `storageinsights.datasetConfigs.linkDataset` `storageinsights.datasetConfigs.list` `storageinsights.datasetConfigs.unlinkDataset` `storageinsights.locations.` `storageinsights.locations.get` `storageinsights.locations.list` `storageinsights.operations.get` `storageinsights.operations.list` `storageinsights.reportConfigs.get` `storageinsights.reportConfigs.list` `storageinsights.reportDetails.` `storageinsights.reportDetails.get` `storageinsights.reportDetails.list`
StorageInsights Service Agent (`roles/storageinsights.serviceAgent`) Permissions for Insights to write reports into customer project Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.datasets.create` `serviceusage.services.use` `storageinsights.reportDetails.list`
Storage Insights Viewer (`roles/storageinsights.viewer`) Read-only access to Storage Insights resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storageinsights.datasetConfigs.get` `storageinsights.datasetConfigs.list` `storageinsights.locations.` `storageinsights.locations.get` `storageinsights.locations.list` `storageinsights.operations.get` `storageinsights.operations.list` `storageinsights.reportConfigs.get` `storageinsights.reportConfigs.list` `storageinsights.reportDetails.` `storageinsights.reportDetails.get` `storageinsights.reportDetails.list`

Storage Insights Admin

(roles/storageinsights.admin)

Full access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.*

storageinsights.datasetConfigs.create
storageinsights.datasetConfigs.delete
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.datasetConfigs.update
storageinsights.locations.get
storageinsights.locations.list
storageinsights.operations.cancel
storageinsights.operations.delete
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.create
storageinsights.reportConfigs.delete
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportConfigs.update
storageinsights.reportDetails.get
storageinsights.reportDetails.list

Storage Insights Analyst

(roles/storageinsights.analyst)

Data access to Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.linkDataset

storageinsights.datasetConfigs.list

storageinsights.datasetConfigs.unlinkDataset

storageinsights.locations.*

storageinsights.locations.get
storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

storageinsights.reportDetails.get
storageinsights.reportDetails.list

StorageInsights Service Agent

(roles/storageinsights.serviceAgent)

Permissions for Insights to write reports into customer project

bigquery.datasets.create

serviceusage.services.use

storageinsights.reportDetails.list

Storage Insights Viewer

(roles/storageinsights.viewer)

Read-only access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.list

storageinsights.locations.*

storageinsights.locations.get
storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

storageinsights.reportDetails.get
storageinsights.reportDetails.list

基本ロール

基本ロールは、IAM の導入前に存在していたロールです。これらのロールには固有の特性があります。

基本ロールはプロジェクト全体にのみ付与でき、プロジェクト内の個々のバケットには付与できません。プロジェクトに付与するその他のロールと同様に、基本ロールはプロジェクト内のすべてのバケットとオブジェクトに適用されます。
基本ロールには、このセクションでは説明していない他の Trusted Cloudサービスのための追加の権限が含まれています。基本ロールで付与される権限については、基本ロールをご覧ください。
それぞれの基本ロールにはコンビニエンス値があり、これを使うと、基本ロールをグループのように使用できます。この方法で使用すると、基本ロールを持つどのプリンシパルもそのグループの一部とみなされます。コンビニエンス値のアクセス権に基づいて、グループ内の全員にリソースへの追加のアクセス権が付与されます。
- コンビニエンス値は、バケットに対するロールを付与する際に使用できます。
- コンビニエンス値は、オブジェクトに ACL を設定する際に使用できます。
基本ロールは、Cloud Storage リソースに対するすべてのアクセス権を付与するものではありません。想定されるアクセス権の一部を付与し、想定される残りのアクセス権はコンビニエンス値を介して付与します。コンビニエンス値は、他の IAM プリンシパルと同様に手動で追加または削除できるため、プリンシパルが本来持つ可能性のあるアクセス権を取り消すこともできます。

コンビニエンス値によって基本ロールのプリンシパルに通常付与される追加のアクセス権については、変更可能な動作をご覧ください。

基本的な権限

次の表に、基本ロールに常に関連付けられている Cloud Storage の権限を示します。

ロール説明 Cloud Storage の権限

閲覧者（roles/viewer）プロジェクト内のバケットを一覧表示する権限、一覧表示するときにバケットのメタデータ（ACL を除く）を閲覧する権限、プロジェクト内の HMAC キーを一覧表示して取得する権限を付与します。 storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.get
storage.hmacKeys.list

編集者（roles/editor）プロジェクト内のバケットの作成、一覧表示、削除を行う権限、一覧表示するときにバケットメタデータ（ACL を除く）を閲覧する権限、プロジェクト内の HMAC キーを制御する権限を付与します。 storage.buckets.create
storage.buckets.delete
storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.*

ロール	説明	Cloud Storage の権限
閲覧者（`roles/viewer`）	プロジェクト内のバケットを一覧表示する権限、一覧表示するときにバケットのメタデータ（ACL を除く）を閲覧する権限、プロジェクト内の HMAC キーを一覧表示して取得する権限を付与します。	`storage.buckets.getIpFilter` `storage.buckets.list` `storage.hmacKeys.get` `storage.hmacKeys.list`
編集者（`roles/editor`）	プロジェクト内のバケットの作成、一覧表示、削除を行う権限、一覧表示するときにバケットメタデータ（ACL を除く）を閲覧する権限、プロジェクト内の HMAC キーを制御する権限を付与します。	`storage.buckets.create` `storage.buckets.delete` `storage.buckets.getIpFilter` `storage.buckets.list` `storage.hmacKeys.*`
オーナー（`roles/owner`）	プロジェクト内のバケットの作成、一覧表示、削除を行う権限、一覧表示の際にバケットメタデータ（ACL を除く）を閲覧する権限、タグバインディングの作成、削除、一覧表示を行う権限、プロジェクトの HMAC キーを制御する権限、プロジェクト、フォルダ、組織で Storage Intelligence 構成を有効化、無効化、更新、取得する権限を付与します。このロールのプリンシパルは、 Trusted Cloud by S3NS 内でプロジェクトプリンシパルのロールの変更や請求先の修正などの管理作業を行うことができます。	`storage.buckets.create` `storage.buckets.delete` `storage.buckets.list` `storage.buckets.createTagBinding` `storage.buckets.deleteTagBinding` `storage.buckets.getIpFilter` `storage.buckets.listEffectiveTags` `storage.buckets.listTagBindings` `storage.buckets.setIpFilter` `storage.hmacKeys.*` `storage.intelligenceConfigs.get` `storage.intelligenceConfigs.update`

オーナー（roles/owner）

プロジェクト内のバケットの作成、一覧表示、削除を行う権限、一覧表示の際にバケットメタデータ（ACL を除く）を閲覧する権限、タグバインディングの作成、削除、一覧表示を行う権限、プロジェクトの HMAC キーを制御する権限、プロジェクト、フォルダ、組織で Storage Intelligence 構成を有効化、無効化、更新、取得する権限を付与します。

このロールのプリンシパルは、 Trusted Cloud by S3NS 内でプロジェクトプリンシパルのロールの変更や請求先の修正などの管理作業を行うことができます。

storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.getIpFilter
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIpFilter
storage.hmacKeys.*
storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

変更可能な動作

多くの場合、コンビニエンス値のため、基本ロールを付与されたプリンシパルにはプロジェクトのバケットとオブジェクトに対する追加のアクセス権が付与されます。バケットを作成すると、コンビニエンス値に特定のバケットレベルのアクセス権が付与されます。あとでバケットの IAM ポリシーとオブジェクトの ACL を編集して、アクセス権を削除または変更することもできます。

均一なバケットレベルのアクセスが有効になっているバケットを作成すると、コンビニエンス値により次のアクセス権が付与されます。

roles/viewer が付与されたプリンシパルには、バケットの roles/storage.legacyBucketReader ロールと roles/storage.legacyObjectReader ロールが付与されます。
roles/editor が付与されたプリンシパルには、バケットの roles/storage.legacyBucketOwner ロールと roles/storage.legacyObjectOwner ロールが付与されます。
roles/owner が付与されたプリンシパルには、バケットの roles/storage.legacyBucketOwner ロールと roles/storage.legacyObjectOwner ロールが付与されます。

均一なバケットレベルのアクセスが有効になっていないバケットを作成すると、コンビニエンス値により次のアクセス権が付与されます。

roles/viewer が付与されたプリンシパルには、バケットの roles/storage.legacyBucketReader ロールが付与されます。
roles/editor が付与されたプリンシパルには、バケットの roles/storage.legacyBucketOwner ロールが付与されます。
roles/owner が付与されたプリンシパルには、バケットの roles/storage.legacyBucketOwner ロールが付与されます。
また、バケットにはデフォルトオブジェクトのアクセス制御リスト（ACL）があります。多くの場合、このデフォルトの ACL はバケット内の新しいオブジェクトに適用され、コンビニエンス値への追加アクセス権を付与します。

カスタムロール

指定した権限のバンドルを含む独自のロールを定義することが必要になる場合があります。これをサポートするために、IAM にはカスタムロールが用意されています。

次のステップ

IAM 権限を使用して、バケットとオブジェクトへのアクセスを制御する。
Cloud Storage に適用される各 IAM 権限について学習する。
利用可能な Cloud Storage の IAM リファレンスで、さまざまなツールや API で操作を行う際に必要になる IAM 権限などを確認する。
他の Trusted Cloud by S3NS ロールについては、ロールについてをご覧ください。

Cloud Storage に適用される IAM のロール

事前定義ロール

Storage Admin

Storage Bucket Viewer Beta

Storage Express Mode Service Input Beta

Storage Express Mode Service Output Beta

Storage Express Mode User Access Beta

Storage Folder Admin

Storage HMAC Key Admin

Storage Insights Collector Service

Storage Legacy Bucket Owner

Storage Legacy Bucket Reader

Storage Legacy Bucket Writer

Storage Legacy Object Owner

Storage Legacy Object Reader

Storage Object Admin

Storage Object Creator

Storage Object User

Storage Object Viewer

事前定義された Storage Insights のロール

Storage Insights Admin

Storage Insights Analyst

StorageInsights Service Agent

Storage Insights Viewer

基本ロール

基本的な権限

変更可能な動作

カスタムロール

次のステップ

Storage Bucket Viewer ^Beta

Storage Express Mode Service Input ^Beta

Storage Express Mode Service Output ^Beta

Storage Express Mode User Access ^Beta