Permissions and roles

Storage Transfer Service usesIdentity and Access Management (IAM)permissions and roles to control who can access Storage Transfer Serviceresources. The main types of resources available in Storage Transfer Serviceare jobs, operations, and agent pools. In theIAM policy hierarchy, jobs are childresources of projects, and operations are child resources of jobs.

To grant access to a resource, you assign one or morepermissions orroles to a user, group, or aservice account.

Permissions

You can grant the following Storage Transfer Service permissions:

Transfer project permission

PermissionDescription
storagetransfer.projects.getServiceAccountCan read the GoogleServiceAccount used by the Storage Transfer Service to access Cloud Storage buckets.

Transfer job permissions

The following table describes permissions for Storage Transfer Service jobs:

PermissionDescription
storagetransfer.jobs.createCan create new transfer jobs.
storagetransfer.jobs.deleteCan delete existing transfer jobs.

Transfer jobs are deleted by calling thepatch function. However, users must have this permission when deleting transfer jobs to avoid permission errors.
storagetransfer.jobs.getCan retrieve specific jobs.
storagetransfer.jobs.listCan list all transfer jobs.
storagetransfer.jobs.runCan run all transfer jobs.
storagetransfer.jobs.updateCan update transfer job configurations without deleting them.

Transfer operations permissions

The following table describes permissions for Storage Transfer Serviceoperations:

PermissionDescription
storagetransfer.operations.assignUsed by transfer agents to assign operations.
storagetransfer.operations.cancelCan cancel transfer operations.
storagetransfer.operations.getCan get details of transfer operations.
storagetransfer.operations.listCan list all transfer job operations.
storagetransfer.operations.pauseCan pause transfer operations.
storagetransfer.operations.reportUsed by transfer agents to report operation status.
storagetransfer.operations.resumeCan resume paused transfer operations.

Transfer agent pool permissions

The following table describes permissions for file system transfer agentpools:

PermissionDescription
storagetransfer.agentpools.createCan create agent pools.
storagetransfer.agentpools.updateCan update agent pools.
storagetransfer.agentpools.deleteCan delete agent pools.
storagetransfer.agentpools.getCan get information on specific agent pools.
storagetransfer.agentpools.listCan list information for all agent pools in the project.
storagetransfer.agentpools.reportUsed by transfer agents to report status.

Predefined roles

This section describes the predefined roles for Storage Transfer Service. Rolesare the preferred way of setting IAM permissions.

Role comparison

You can assign the following project role or Storage Transfer Service predefinedroles:

CapabilityEditor (roles/editor)Storage Transfer (roles/storagetransfer.)
Admin (admin)User (user)Viewer (viewer)
List/get jobs
Create jobs
Run jobs
Update jobs
Delete jobs
List/get transfer operations
Pause/resume transfer operations
Read Google service account details that are used by Storage Transfer Service to access Cloud Storage buckets.
List agent pools
Create agent pools
Update agent pools
Delete agent pools
Get agent pools
Read or set project bandwidth

Role details

The following table describes in detail the predefined roles forStorage Transfer Service:

RoleDescriptionIncluded Permissions
Storage Transfer Admin
(roles/storagetransfer.admin)

Provides all Storage Transfer Service permissions, including deleting jobs.

Rationale: This is the highest-level role with the broadest responsibilities, the superuser who supports their colleagues as they perform transfers. This is most suitable for people that will administer transfers, such as IT admins.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.*
Storage Transfer User
(roles/storagetransfer.user)

Provides permissions for the user to create, get, update, and list transfer jobs within the project. However, they can't delete their own jobs.

Rationale: This role allows the separation of creating and maintaining jobs from deleting jobs. This role is best suited for users who are required to execute transfers as part of their job function, such as an employee. This role doesn't allow transfer to be deleted, so that auditors or security personnel can view a fully preserved record of past transfers.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.agentpools.create
  • storagetransfer.agentpools.get
  • storagetransfer.agentpools.list
  • storagetransfer.agentpools.report
  • storagetransfer.agentpools.update
  • storagetransfer.jobs.create
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.jobs.run
  • storagetransfer.jobs.update
  • storagetransfer.operations.*
  • storagetransfer.projects.getServiceAccount
Storage Transfer Viewer
(roles/storagetransfer.viewer)

Provides permissions to list and get jobs and transfer operations within the project. The user can't schedule, update, or delete jobs.

Rationale: The viewer role is intended for read-only access to view transfer jobs and operations. This role allows separating the report and auditing tasks from creating and maintaining jobs. This role is most suitable for users or internal teams that audit transfer usage, such as security, compliance, or business unit leaders.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.agentpools.get
  • storagetransfer.agentpools.list
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.operations.get
  • storagetransfer.operations.list
  • storagetransfer.projects.getServiceAccount
Storage Transfer Agent (roles/storagetransfer.transferAgent)

Gives transfer agents the Storage Transfer Service permissions required to complete a transfer.

As of May 1, 2024,pubsub permissions are no longer required.

Grant this role to the user or service account being used by agents.

  • logging.logEntries.create
  • monitoring.timeSeries.create
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • storagetransfer.agentpools.report
  • storagetransfer.operations.assign
  • storagetransfer.operations.get
  • storagetransfer.operations.report
Storage Transfer Service Agent (roles/storagetransfer.serviceAgent)

Gives the Storage Transfer Service service agent the permissions required to create and modify Pub/Sub topics to communicate from Google Cloud to transfer agents.

Grant this role to the Storage Transfer Service service agent.

  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.publish
  • pubsub.topics.update

Custom roles

You can create and applycustom IAM roles to meet yourorganization's access requirements.

When creating custom roles, we recommend using a combination ofpredefined roles to ensure that the correct permissionsare included together.

The Google Cloud console will not work properly if the custom role is missingrequired permissions. For example, some parts of the Google Cloud consoleassume a role has read access to display an item before editing it, so a rolewith only write permissions may encounter Google Cloud console screens thatdon't work.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.