Set and manage IAM policies on buckets
This page describes how to setIdentity and Access Management (IAM) policies onbuckets, so you can control access to objects and managed folders within thosebuckets.
If you're looking for other methods of access control, see the followingresources:
To learn about how to get finer-grained control over groups of objects, seeSet and manage IAM policies on managed folders.
For an alternative way to control accessto individual objects in your buckets, seeAccess Control Lists.
For more information about controlling access to Cloud Storageresources, readOverview of Access Control.
Required roles
To get the permissions that you need to set and manage IAMpolicies for a bucket, ask your administrator to grant you the Storage Admin(roles/storage.admin) IAM role for the bucket.
This role contains the following permissions, which are required to setand manage IAM policies for buckets:
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.updatestorage.buckets.list- This permission is only required if you plan on using theGoogle Cloud console to perform the tasks on this page.
You can also get these permissions withcustom roles.
Add a principal to a bucket-level policy
For a list of roles associated with Cloud Storage, seeIAM Roles. For information on entities to which you grantIAM roles, seePrincipal identifiers.
Console
- In the Google Cloud console, go to the Cloud StorageBuckets page.
In the list of buckets, click the name of the bucket for which you wantto grant a principal a role.
Select thePermissions tab near the top of the page.
Click theadd_boxGrant access button.
TheAdd principals dialog appears.
In theNew principals field, enter one or more identitiesthat need access to your bucket.
Select a role (or roles) from theSelect a role drop-down menu.The roles you select appear in the pane with a short description ofthe permissions they grant.
ClickSave.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.
Command line
Use thebuckets add-iam-policy-binding command:
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=PRINCIPAL_IDENTIFIER --role=IAM_ROLE
Where:
BUCKET_NAMEis the name of the bucket you aregranting the principal access to. For example,my-bucket.PRINCIPAL_IDENTIFIERidentifies who you aregranting bucket access to. For example,user:jeffersonloveshiking@gmail.com. Fora list of principal identifier formats, seePrincipal identifiers.IAM_ROLEis theIAM roleyou are granting to the principal. For example,roles/storage.objectViewer.
Client libraries
For more information, see theCloud StorageC++ API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageC# API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageGo API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageJava API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageNode.js API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePHP API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePython API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageRuby API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.C++
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&role,std::stringconst&member){autopolicy=client.GetNativeBucketIamPolicy(bucket_name,gcs::RequestedPolicyVersion(3));if(!policy)throwstd::move(policy).status();policy->set_version(3);for(auto&binding:policy->bindings()){if(binding.role()!=role||binding.has_condition()){continue;}auto&members=binding.members();if(std::find(members.begin(),members.end(),member)==members.end()){members.emplace_back(member);}}autoupdated=client.SetNativeBucketIamPolicy(bucket_name,*policy);if(!updated)throwstd::move(updated).status();std::cout <<"Updated IAM policy bucket " <<bucket_name <<". The new policy is " <<*updated <<"\n";}C#
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.Collections.Generic;publicclassAddBucketIamMemberSample{publicPolicyAddBucketIamMember(stringbucketName="your-unique-bucket-name",stringrole="roles/storage.objectViewer",stringmember="serviceAccount:dev@iam.gserviceaccount.com"){varstorage=StorageClient.Create();varpolicy=storage.GetBucketIamPolicy(bucketName,newGetBucketIamPolicyOptions{RequestedPolicyVersion=3});// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.policy.Version=3;Policy.BindingsDatabindingToAdd=newPolicy.BindingsData{Role=role,Members=newList<string>{member}};policy.Bindings.Add(bindingToAdd);varbucketIamPolicy=storage.SetBucketIamPolicy(bucketName,policy);Console.WriteLine($"Added {member} with role {role} "+$"to {bucketName}");returnbucketIamPolicy;}}Go
import("context""fmt""io""time""cloud.google.com/go/iam""cloud.google.com/go/storage")// addBucketIAMMember adds the bucket IAM member to permission role.funcaddBucketIAMMember(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()bucket:=client.Bucket(bucketName)policy,err:=bucket.IAM().Policy(ctx)iferr!=nil{returnfmt.Errorf("Bucket(%q).IAM().Policy: %w",bucketName,err)}// Other valid prefixes are "serviceAccount:", "user:"// See the documentation for more values.// https://cloud.google.com/storage/docs/access-control/iamidentity:="group:cloud-logs@google.com"varroleiam.RoleName="roles/storage.objectViewer"policy.Add(identity,role)iferr:=bucket.IAM().SetPolicy(ctx,policy);err!=nil{returnfmt.Errorf("Bucket(%q).IAM().SetPolicy: %w",bucketName,err)}// NOTE: It may be necessary to retry this operation if IAM policies are// being modified concurrently. SetPolicy will return an error if the policy// was modified since it was retrieved.fmt.Fprintf(w,"Added %v with role %v to %v\n",identity,role,bucketName)returnnil}Java
importcom.google.cloud.Binding;importcom.google.cloud.Policy;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.util.ArrayList;importjava.util.Arrays;importjava.util.List;publicclassAddBucketIamMember{/** Example of adding a member to the Bucket-level IAM */publicstaticvoidaddBucketIamMember(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// For more information please read:// https://cloud.google.com/storage/docs/access-control/iamStoragestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();PolicyoriginalPolicy=storage.getIamPolicy(bucketName,Storage.BucketSourceOption.requestedPolicyVersion(3));Stringrole="roles/storage.objectViewer";Stringmember="group:example@google.com";// getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.List<Binding>bindings=newArrayList(originalPolicy.getBindingsList());// Create a new binding using role and memberBinding.BuildernewMemberBindingBuilder=Binding.newBuilder();newMemberBindingBuilder.setRole(role).setMembers(Arrays.asList(member));bindings.add(newMemberBindingBuilder.build());// Update policy to add memberPolicy.BuilderupdatedPolicyBuilder=originalPolicy.toBuilder();updatedPolicyBuilder.setBindings(bindings).setVersion(3);PolicyupdatedPolicy=storage.setIamPolicy(bucketName,updatedPolicyBuilder.build());System.out.printf("Added %s with role %s to %s\n",member,role,bucketName);}}Node.js
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The role to grant// const roleName = 'roles/storage.objectViewer';// The members to grant the new role to// const members = [// 'user:jdoe@example.com',// 'group:admins@example.com',// ];// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionaddBucketIamMember(){// Get a reference to a Google Cloud Storage bucketconstbucket=storage.bucket(bucketName);// For more information please read:// https://cloud.google.com/storage/docs/access-control/iamconst[policy]=awaitbucket.iam.getPolicy({requestedPolicyVersion:3});// Adds the new roles to the bucket's IAM policypolicy.bindings.push({role:roleName,members:members,});// Updates the bucket's IAM policyawaitbucket.iam.setPolicy(policy);console.log(`Added the following member(s) with role${roleName} to${bucketName}:`);members.forEach(member=>{console.log(`${member}`);});}addBucketIamMember().catch(console.error);PHP
use Google\Cloud\Storage\StorageClient;/** * Adds a new member / role IAM pair to a given Cloud Storage bucket. * * @param string $bucketName The name of your Cloud Storage bucket. * (e.g. 'my-bucket') * @param string $role The role to which the given member should be added. * (e.g. 'roles/storage.objectViewer') * @param string[] $members The member(s) to be added to the role. * (e.g. ['group:example@google.com']) */function add_bucket_iam_member(string $bucketName, string $role, array $members): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]); $policy['version'] = 3; $policy['bindings'][] = [ 'role' => $role, 'members' => $members ]; $bucket->iam()->setPolicy($policy); printf('Added the following member(s) to role %s for bucket %s' . PHP_EOL, $role, $bucketName); foreach ($members as $member) { printf(' %s' . PHP_EOL, $member); }}Python
fromgoogle.cloudimportstoragedefadd_bucket_iam_member(bucket_name,role,member):"""Add a new member to an IAM Policy"""# bucket_name = "your-bucket-name"# role = "IAM role, e.g., roles/storage.objectViewer"# member = "IAM identity, e.g., user: name@example.com"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)policy=bucket.get_iam_policy(requested_policy_version=3)policy.bindings.append({"role":role,"members":{member}})bucket.set_iam_policy(policy)print(f"Added{member} with role{role} to{bucket_name}.")Ruby
defadd_bucket_iam_memberbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namerole="roles/storage.objectViewer"member="group:example@google.com"bucket.policyrequested_policy_version:3do|policy|policy.bindings.insertrole:role,members:[member]endputs"Added#{member} with role#{role} to#{bucket_name}"end
REST APIs
JSON
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Create a JSON file that contains the following information:
{"bindings":[{"role":"IAM_ROLE","members":["PRINCIPAL_IDENTIFIER"]}]}
Where:
IAM_ROLEis theIAM roleyou are granting. For example,roles/storage.objectViewer.PRINCIPAL_IDENTIFIERidentifies who you aregranting bucket access to. For example,user:jeffersonloveshiking@gmail.com. For alist of principal identifier formats, seePrincipal identifiers.
Use
cURLto call theJSON API with aPUT setIamPolicyrequest:curl -X PUT --data-binary @JSON_FILE_NAME \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
JSON_FILE_NAMEis the path for the filethat you created in Step 2.BUCKET_NAMEis the name of the bucket towhich you want to give the principal access. For example,my-bucket.
View the IAM policy for a bucket
Console
- In the Google Cloud console, go to the Cloud StorageBuckets page.
In the list of buckets, click the name of the bucket whose policy youwant to view.
In theBucket details page, click thePermissions tab.
The IAM policy that applies to the bucket appears inthePermissions section.
Optional: Use theFilter bar to filter your results.
If you search by principal, your results display each role that theprincipal is granted.
Command line
Use thebuckets get-iam-policy command:
gcloud storage buckets get-iam-policy gs://BUCKET_NAME
WhereBUCKET_NAME is the name of the bucketwhose IAM policy you want to view. For example,my-bucket.
Client libraries
For more information, see theCloud StorageC++ API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageC# API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageGo API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageJava API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageNode.js API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePHP API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePython API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageRuby API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.C++
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){autopolicy=client.GetNativeBucketIamPolicy(bucket_name,gcs::RequestedPolicyVersion(3));if(!policy)throwstd::move(policy).status();std::cout <<"The IAM policy for bucket " <<bucket_name <<" is " <<*policy <<"\n";}C#
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassViewBucketIamMembersSample{publicPolicyViewBucketIamMembers(stringbucketName="your-unique-bucket-name"){varstorage=StorageClient.Create();varpolicy=storage.GetBucketIamPolicy(bucketName,newGetBucketIamPolicyOptions{RequestedPolicyVersion=3});foreach(varbindinginpolicy.Bindings){Console.WriteLine($"Role: {binding.Role}");Console.WriteLine("Members:");foreach(varmemberinbinding.Members){Console.WriteLine($"{member}");}}returnpolicy;}}Go
import("context""fmt""io""time""cloud.google.com/go/iam""cloud.google.com/go/storage")// getBucketPolicy gets the bucket IAM policy.funcgetBucketPolicy(wio.Writer,bucketNamestring)(*iam.Policy3,error){// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnnil,fmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()policy,err:=client.Bucket(bucketName).IAM().V3().Policy(ctx)iferr!=nil{returnnil,fmt.Errorf("Bucket(%q).IAM().V3().Policy: %w",bucketName,err)}for_,binding:=rangepolicy.Bindings{fmt.Fprintf(w,"%q: %q (condition: %v)\n",binding.Role,binding.Members,binding.Condition)}returnpolicy,nil}Java
importcom.google.cloud.Binding;importcom.google.cloud.Policy;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassListBucketIamMembers{publicstaticvoidlistBucketIamMembers(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// For more information please read:// https://cloud.google.com/storage/docs/access-control/iamStoragestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();Policypolicy=storage.getIamPolicy(bucketName,Storage.BucketSourceOption.requestedPolicyVersion(3));// Print binding informationfor(Bindingbinding:policy.getBindingsList()){System.out.printf("Role: %s Members: %s\n",binding.getRole(),binding.getMembers());// Print condition if one is setbooleanbindingIsConditional=binding.getCondition()!=null;if(bindingIsConditional){System.out.printf("Condition Title: %s\n",binding.getCondition().getTitle());System.out.printf("Condition Description: %s\n",binding.getCondition().getDescription());System.out.printf("Condition Expression: %s\n",binding.getCondition().getExpression());}}}}Node.js
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionviewBucketIamMembers(){// For more information please read:// https://cloud.google.com/storage/docs/access-control/iamconstresults=awaitstorage.bucket(bucketName).iam.getPolicy({requestedPolicyVersion:3});constbindings=results[0].bindings;console.log(`Bindings for bucket${bucketName}:`);for(constbindingofbindings){console.log(` Role:${binding.role}`);console.log(' Members:');constmembers=binding.members;for(constmemberofmembers){console.log(`${member}`);}constcondition=binding.condition;if(condition){console.log(' Condition:');console.log(` Title:${condition.title}`);console.log(` Description:${condition.description}`);console.log(` Expression:${condition.expression}`);}}}viewBucketIamMembers().catch(console.error);PHP
use Google\Cloud\Storage\StorageClient;/** * View Bucket IAM members for a given Cloud Storage bucket. * * @param string $bucketName The name of your Cloud Storage bucket. * (e.g. 'my-bucket') */function view_bucket_iam_members(string $bucketName): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]); printf('Printing Bucket IAM members for Bucket: %s' . PHP_EOL, $bucketName); printf(PHP_EOL); foreach ($policy['bindings'] as $binding) { printf('Role: %s' . PHP_EOL, $binding['role']); printf('Members:' . PHP_EOL); foreach ($binding['members'] as $member) { printf(' %s' . PHP_EOL, $member); } if (isset($binding['condition'])) { $condition = $binding['condition']; printf(' with condition:' . PHP_EOL); printf(' Title: %s' . PHP_EOL, $condition['title']); printf(' Description: %s' . PHP_EOL, $condition['description']); printf(' Expression: %s' . PHP_EOL, $condition['expression']); } printf(PHP_EOL); }}Python
fromgoogle.cloudimportstoragedefview_bucket_iam_members(bucket_name):"""View IAM Policy for a bucket"""# bucket_name = "your-bucket-name"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)policy=bucket.get_iam_policy(requested_policy_version=3)forbindinginpolicy.bindings:print(f"Role:{binding['role']}, Members:{binding['members']}")Ruby
defview_bucket_iam_membersbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namepolicy=bucket.policyrequested_policy_version:3policy.bindings.eachdo|binding|puts"Role:#{binding.role}"puts"Members:#{binding.members}"# if a conditional binding exists print the condition.ifbinding.conditionputs"Condition Title:#{binding.condition.title}"puts"Condition Description:#{binding.condition.description}"puts"Condition Expression:#{binding.condition.expression}"endendend
REST APIs
JSON
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Use
cURLto call theJSON API with aGET getIamPolicyrequest:curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where
BUCKET_NAMEis the name of the bucketwhose IAM policy you want to view. For example,my-bucket.
Remove a principal from a bucket-level policy
Console
- In the Google Cloud console, go to the Cloud StorageBuckets page.
In the list of buckets, click the name of the bucket from which you wantto remove a principal's role.
In theBucket details page, click thePermissions tab.
The IAM policy that applies to the bucket appears inthePermissions section.
In theView by principals tab, select the checkbox for theprincipal you're removing.
Click the- Remove access button.
In the overlay window that appears, clickConfirm.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.
Command line
Use thebuckets remove-iam-policy-binding command:
gcloud storage buckets remove-iam-policy-binding gs://BUCKET_NAME --member=PRINCIPAL_IDENTIFIER --role=IAM_ROLE
Where:
BUCKET_NAMEis the name of the bucket you arerevoking access to. For example,my-bucket.PRINCIPAL_IDENTIFIERidentifies who you arerevoking access from. For example,user:jeffersonloveshiking@gmail.com. For alist of principal identifier formats, seePrincipal identifiers.IAM_ROLEis theIAM roleyou are revoking. For example,roles/storage.objectViewer.
Client libraries
For more information, see theCloud StorageC++ API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageC# API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageGo API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageJava API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageNode.js API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePHP API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePython API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageRuby API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.C++
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&role,std::stringconst&member){autopolicy=client.GetNativeBucketIamPolicy(bucket_name,gcs::RequestedPolicyVersion(3));if(!policy)throwstd::move(policy).status();policy->set_version(3);std::vector<google::cloud::storage::NativeIamBinding>updated_bindings;for(auto&binding:policy->bindings()){auto&members=binding.members();if(binding.role()==role &&!binding.has_condition()){members.erase(std::remove(members.begin(),members.end(),member),members.end());}if(!members.empty()){updated_bindings.emplace_back(std::move(binding));}}policy->bindings()=std::move(updated_bindings);autoupdated=client.SetNativeBucketIamPolicy(bucket_name,*policy);if(!updated)throwstd::move(updated).status();std::cout <<"Updated IAM policy bucket " <<bucket_name <<". The new policy is " <<*updated <<"\n";}C#
usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.Linq;publicclassRemoveBucketIamMemberSample{publicvoidRemoveBucketIamMember(stringbucketName="your-unique-bucket-name",stringrole="roles/storage.objectViewer",stringmember="serviceAccount:dev@iam.gserviceaccount.com"){varstorage=StorageClient.Create();varpolicy=storage.GetBucketIamPolicy(bucketName,newGetBucketIamPolicyOptions{RequestedPolicyVersion=3});// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.policy.Version=3;foreach(varbindinginpolicy.Bindings.Where(c=>c.Role==role).ToList()){// Remove the role/member combo from the IAM policy.binding.Members=binding.Members.Where(m=>m!=member).ToList();// Remove role if it contains no members.if(binding.Members.Count==0){policy.Bindings.Remove(binding);}}// Set the modified IAM policy to be the current IAM policy.storage.SetBucketIamPolicy(bucketName,policy);Console.WriteLine($"Removed {member} with role {role} from {bucketName}");}}Go
import("context""fmt""io""time""cloud.google.com/go/iam""cloud.google.com/go/storage")// removeBucketIAMMember removes the bucket IAM member.funcremoveBucketIAMMember(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()bucket:=client.Bucket(bucketName)policy,err:=bucket.IAM().Policy(ctx)iferr!=nil{returnfmt.Errorf("Bucket(%q).IAM().Policy: %w",bucketName,err)}// Other valid prefixes are "serviceAccount:", "user:"// See the documentation for more values.// https://cloud.google.com/storage/docs/access-control/iam// member string, role iam.RoleNameidentity:="group:cloud-logs@google.com"varroleiam.RoleName="roles/storage.objectViewer"policy.Remove(identity,role)iferr:=bucket.IAM().SetPolicy(ctx,policy);err!=nil{returnfmt.Errorf("Bucket(%q).IAM().SetPolicy: %w",bucketName,err)}// NOTE: It may be necessary to retry this operation if IAM policies are// being modified concurrently. SetPolicy will return an error if the policy// was modified since it was retrieved.fmt.Fprintf(w,"Removed %v with role %v from %v\n",identity,role,bucketName)returnnil}Java
importcom.google.cloud.Binding;importcom.google.cloud.Policy;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.util.ArrayList;importjava.util.List;publicclassRemoveBucketIamMember{publicstaticvoidremoveBucketIamMember(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// For more information please read:// https://cloud.google.com/storage/docs/access-control/iamStoragestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();PolicyoriginalPolicy=storage.getIamPolicy(bucketName,Storage.BucketSourceOption.requestedPolicyVersion(3));Stringrole="roles/storage.objectViewer";Stringmember="group:example@google.com";// getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.List<Binding>bindings=newArrayList(originalPolicy.getBindingsList());// Remove role-member binding without a condition.for(intindex=0;index <bindings.size();index++){Bindingbinding=bindings.get(index);booleanfoundRole=binding.getRole().equals(role);booleanfoundMember=binding.getMembers().contains(member);booleanbindingIsNotConditional=binding.getCondition()==null;if(foundRole &&foundMember &&bindingIsNotConditional){bindings.set(index,binding.toBuilder().removeMembers(member).build());break;}}// Update policy to remove memberPolicy.BuilderupdatedPolicyBuilder=originalPolicy.toBuilder();updatedPolicyBuilder.setBindings(bindings).setVersion(3);PolicyupdatedPolicy=storage.setIamPolicy(bucketName,updatedPolicyBuilder.build());System.out.printf("Removed %s with role %s from %s\n",member,role,bucketName);}}Node.js
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The role to revoke// const roleName = 'roles/storage.objectViewer';// The members to revoke the roles from// const members = [// 'user:jdoe@example.com',// 'group:admins@example.com',// ];// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionremoveBucketIamMember(){// Get a reference to a Google Cloud Storage bucketconstbucket=storage.bucket(bucketName);// For more information please read:// https://cloud.google.com/storage/docs/access-control/iamconst[policy]=awaitbucket.iam.getPolicy({requestedPolicyVersion:3});// Finds and updates the appropriate role-member group, without a condition.constindex=policy.bindings.findIndex(binding=>binding.role===roleName &&!binding.condition);constrole=policy.bindings[index];if(role){role.members=role.members.filter(member=>members.indexOf(member)===-1);// Updates the policy object with the new (or empty) role-member groupif(role.members.length===0){policy.bindings.splice(index,1);}else{policy.bindings.index=role;}// Updates the bucket's IAM policyawaitbucket.iam.setPolicy(policy);}else{// No matching role-member group(s) were foundthrownewError('No matching role-member group(s) found.');}console.log(`Removed the following member(s) with role${roleName} from${bucketName}:`);members.forEach(member=>{console.log(`${member}`);});}removeBucketIamMember().catch(console.error);PHP
use Google\Cloud\Storage\StorageClient;/** * Removes a member / role IAM pair from a given Cloud Storage bucket. * * @param string $bucketName The name of your Cloud Storage bucket. * (e.g. 'my-bucket') * @param string $role The role from which the specified member should be removed. * (e.g. 'roles/storage.objectViewer') * @param string $member The member to be removed from the specified role. * (e.g. 'group:example@google.com') */function remove_bucket_iam_member(string $bucketName, string $role, string $member): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); $iam = $bucket->iam(); $policy = $iam->policy(['requestedPolicyVersion' => 3]); $policy['version'] = 3; foreach ($policy['bindings'] as $i => $binding) { // This example only removes member from bindings without a condition. if ($binding['role'] == $role && !isset($binding['condition'])) { $key = array_search($member, $binding['members']); if ($key !== false) { unset($binding['members'][$key]); // If the last member is removed from the binding, clean up the // binding. if (count($binding['members']) == 0) { unset($policy['bindings'][$i]); // Ensure array keys are sequential, otherwise JSON encodes // the array as an object, which fails when calling the API. $policy['bindings'] = array_values($policy['bindings']); } else { // Ensure array keys are sequential, otherwise JSON encodes // the array as an object, which fails when calling the API. $binding['members'] = array_values($binding['members']); $policy['bindings'][$i] = $binding; } $iam->setPolicy($policy); printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName); return; } } } throw new \RuntimeException('No matching role-member group(s) found.');}Python
fromgoogle.cloudimportstoragedefremove_bucket_iam_member(bucket_name,role,member):"""Remove member from bucket IAM Policy"""# bucket_name = "your-bucket-name"# role = "IAM role, e.g. roles/storage.objectViewer"# member = "IAM identity, e.g. user: name@example.com"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)policy=bucket.get_iam_policy(requested_policy_version=3)forbindinginpolicy.bindings:print(binding)ifbinding["role"]==roleandbinding.get("condition")isNone:binding["members"].discard(member)bucket.set_iam_policy(policy)print(f"Removed{member} with role{role} from{bucket_name}.")Ruby
defremove_bucket_iam_memberbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"# For more information please read: https://cloud.google.com/storage/docs/access-control/iamrequire"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namerole="roles/storage.objectViewer"member="group:example@google.com"bucket.policyrequested_policy_version:3do|policy|policy.bindings.eachdo|binding|ifbinding.role==role &&binding.condition.nil?binding.members.deletememberendendendputs"Removed#{member} with role#{role} from#{bucket_name}"end
REST APIs
JSON
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Get the existing policy applied to your bucket. To do so, use
cURLto call theJSON API with aGET getIamPolicyrequest:curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where
BUCKET_NAMEis the name of the bucketwhose IAM policy you want to view. For example,my-bucket.Create a JSON file that contains the policy you retrieved in theprevious step.
Edit the JSON file to remove the principal from the policy.
Use
cURLto call theJSON API with aPUT setIamPolicyrequest:curl -X PUT --data-binary @JSON_FILE_NAME \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
JSON_FILE_NAMEis the path for the filethat you created in Step 3.BUCKET_NAMEis the name of the bucket fromwhich you want to remove access. For example,my-bucket.
Use IAM Conditions on buckets
The following sections show you how to add and removeIAM Conditions on your buckets. To view theIAM Conditions for your bucket, seeViewing the IAM policy for a bucket. For more informationabout using IAM Conditions with Cloud Storage, seeConditions.
You mustenable uniform bucket-level access on the bucket before adding conditions.
Set a new condition on a bucket
Console
- In the Google Cloud console, go to the Cloud StorageBuckets page.
In the list of buckets, click the name of the bucket that you want to adda new condition for.
In theBucket details page, click thePermissions tab.
The IAM policy that applies to the bucket appears inthePermissions section.
Click+ Grant access.
ForNew principals, fill out the principals to which you want to grantaccess to your bucket.
For each role to which you want to apply a condition:
Select aRole to grant the principals.
ClickAdd condition to open theEdit condition form.
Fill out theTitle of the condition. TheDescription field isoptional.
Use theCondition builder to build your condition visually, or use theCondition editor tab to enter theCEL expression.
ClickSave to return to theAdd principal form. To addmultiple roles, clickAdd another role.
ClickSave.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.
Command line
Create a JSON or YAML file that defines the condition, including the
titleof the condition, theattribute-based logicexpressionfor the condition, and, optionally, adescriptionforthe condition.Note that Cloud Storage only supports thedate/time,resource type, andresource name attributes in the
expression.Use the
buckets add-iam-policy-bindingcommand with the--condition-from-fileflag:
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=PRINCIPAL_IDENTIFIER --role=IAM_ROLE --condition-from-file=CONDITION_FILE
Where:
BUCKET_NAMEis the name of the bucket you aregranting the principal access to. For example,my-bucket.PRINCIPAL_IDENTIFIERidentifies who thecondition applies to. For example,user:jeffersonloveshiking@gmail.com. For alist of principal identifier formats, seePrincipal identifiers.IAM_ROLEis theIAM roleyou are granting to the principal. For example,roles/storage.objectViewer.CONDITION_FILEis the file you created in theprevious step.
Alternatively, you can include the condition directly in the commandwith the--condition flag instead of the--condition-from-file flag.
Client libraries
For more information, see theCloud StorageC++ API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageC# API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageGo API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageJava API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageNode.js API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePHP API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePython API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageRuby API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.C++
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&role,std::stringconst&member,std::stringconst&condition_title,std::stringconst&condition_description,std::stringconst&condition_expression){autopolicy=client.GetNativeBucketIamPolicy(bucket_name,gcs::RequestedPolicyVersion(3));if(!policy)throwstd::move(policy).status();policy->set_version(3);policy->bindings().emplace_back(gcs::NativeIamBinding(role,{member},gcs::NativeExpression(condition_expression,condition_title,condition_description)));autoupdated=client.SetNativeBucketIamPolicy(bucket_name,*policy);if(!updated)throwstd::move(updated).status();std::cout <<"Updated IAM policy bucket " <<bucket_name <<". The new policy is " <<*updated <<"\n";std::cout <<"Added member " <<member <<" with role " <<role <<" to " <<bucket_name <<":\n";std::cout <<"with condition:\n" <<"\t Title: " <<condition_title <<"\n" <<"\t Description: " <<condition_description <<"\n" <<"\t Expression: " <<condition_expression <<"\n";}C#
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.Collections.Generic;publicclassAddBucketConditionalIamBindingSample{/// <summary>/// Adds a conditional Iam policy to a bucket./// </summary>/// <param name="bucketName">The name of the bucket.</param>/// <param name="role">The role that members may assume.</param>/// <param name="member">The identifier of the member who may assume the provided role.</param>/// <param name="title">Title for the expression.</param>/// <param name="description">Description of the expression.</param>/// <param name="expression">Describes the conditions that need to be met for the policy to be applied./// It's represented as a string using Common Expression Language syntax.</param>publicPolicyAddBucketConditionalIamBinding(stringbucketName="your-unique-bucket-name",stringrole="roles/storage.objectViewer",stringmember="serviceAccount:dev@iam.gserviceaccount.com",stringtitle="title",stringdescription="description",stringexpression="resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"){varstorage=StorageClient.Create();varpolicy=storage.GetBucketIamPolicy(bucketName,newGetBucketIamPolicyOptions{RequestedPolicyVersion=3});// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.policy.Version=3;Policy.BindingsDatabindingToAdd=newPolicy.BindingsData{Role=role,Members=newList<string>{member},Condition=newExpr{Title=title,Description=description,Expression=expression}};policy.Bindings.Add(bindingToAdd);varbucketIamPolicy=storage.SetBucketIamPolicy(bucketName,policy);Console.WriteLine($"Added {member} with role {role} "+$"to {bucketName}");returnbucketIamPolicy;}}Go
import("context""fmt""io""time""cloud.google.com/go/iam/apiv1/iampb""cloud.google.com/go/storage""google.golang.org/genproto/googleapis/type/expr")// addBucketConditionalIAMBinding adds bucket conditional IAM binding.funcaddBucketConditionalIAMBinding(wio.Writer,bucketName,role,member,title,description,expressionstring)error{// bucketName := "bucket-name"// role := "bucket-level IAM role"// member := "bucket-level IAM member"// title := "condition title"// description := "condition description"// expression := "condition expression"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()bucket:=client.Bucket(bucketName)policy,err:=bucket.IAM().V3().Policy(ctx)iferr!=nil{returnfmt.Errorf("Bucket(%q).IAM().V3().Policy: %w",bucketName,err)}policy.Bindings=append(policy.Bindings,&iampb.Binding{Role:role,Members:[]string{member},Condition:&expr.Expr{Title:title,Description:description,Expression:expression,},})iferr:=bucket.IAM().V3().SetPolicy(ctx,policy);err!=nil{returnfmt.Errorf("Bucket(%q).IAM().V3().SetPolicy: %w",bucketName,err)}// NOTE: It may be necessary to retry this operation if IAM policies are// being modified concurrently. SetPolicy will return an error if the policy// was modified since it was retrieved.fmt.Fprintf(w,"Added %v with role %v to %v with condition %v %v %v\n",member,role,bucketName,title,description,expression)returnnil}Java
importcom.google.cloud.Binding;importcom.google.cloud.Condition;importcom.google.cloud.Policy;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.util.ArrayList;importjava.util.Arrays;importjava.util.List;publicclassAddBucketIamConditionalBinding{/** Example of adding a conditional binding to the Bucket-level IAM */publicstaticvoidaddBucketIamConditionalBinding(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// For more information please read:// https://cloud.google.com/storage/docs/access-control/iamStoragestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();PolicyoriginalPolicy=storage.getIamPolicy(bucketName,Storage.BucketSourceOption.requestedPolicyVersion(3));Stringrole="roles/storage.objectViewer";Stringmember="group:example@google.com";// Create a conditionStringconditionTitle="Title";StringconditionDescription="Description";StringconditionExpression="resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")";Condition.BuilderconditionBuilder=Condition.newBuilder();conditionBuilder.setTitle(conditionTitle);conditionBuilder.setDescription(conditionDescription);conditionBuilder.setExpression(conditionExpression);// getBindingsList() returns an ImmutableList, we copy over to an ArrayList so it's mutableList<Binding>bindings=newArrayList(originalPolicy.getBindingsList());// Add condition to a bindingBinding.BuildernewBindingBuilder=Binding.newBuilder().setRole(role).setMembers(Arrays.asList(member)).setCondition(conditionBuilder.build());bindings.add(newBindingBuilder.build());// Update policy with new conditional bindingPolicy.BuilderupdatedPolicyBuilder=originalPolicy.toBuilder();updatedPolicyBuilder.setBindings(bindings).setVersion(3);storage.setIamPolicy(bucketName,updatedPolicyBuilder.build());System.out.printf("Added %s with role %s to %s with condition %s %s %s\n",member,role,bucketName,conditionTitle,conditionDescription,conditionExpression);}}Node.js
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The role to grant// const roleName = 'roles/storage.objectViewer';// The members to grant the new role to// const members = [// 'user:jdoe@example.com',// 'group:admins@example.com',// ];// Create a condition// const title = 'Title';// const description = 'Description';// const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionaddBucketConditionalBinding(){// Get a reference to a Google Cloud Storage bucketconstbucket=storage.bucket(bucketName);// Gets and updates the bucket's IAM policyconst[policy]=awaitbucket.iam.getPolicy({requestedPolicyVersion:3});// Set the policy's version to 3 to use condition in bindings.policy.version=3;// Adds the new roles to the bucket's IAM policypolicy.bindings.push({role:roleName,members:members,condition:{title:title,description:description,expression:expression,},});// Updates the bucket's IAM policyawaitbucket.iam.setPolicy(policy);console.log(`Added the following member(s) with role${roleName} to${bucketName}:`);members.forEach(member=>{console.log(`${member}`);});console.log('with condition:');console.log(` Title:${title}`);console.log(` Description:${description}`);console.log(` Expression:${expression}`);}addBucketConditionalBinding().catch(console.error);PHP
use Google\Cloud\Storage\StorageClient;/** * Adds a conditional IAM binding to a bucket's IAM policy. * * @param string $bucketName The name of your Cloud Storage bucket. * (e.g. 'my-bucket') * @param string $role The role that will be given to members in this binding. * (e.g. 'roles/storage.objectViewer') * @param string[] $members The member(s) associated with this binding. * (e.g. ['group:example@google.com']) * @param string $title The title of the condition. (e.g. 'Title') * @param string $description The description of the condition. * (e.g. 'Condition Description') * @param string $expression The condition specified in CEL expression language. * (e.g. 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")') * * To see how to express a condition in CEL, visit: * @see https://cloud.google.com/storage/docs/access-control/iam#conditions. */function add_bucket_conditional_iam_binding(string $bucketName, string $role, array $members, string $title, string $description, string $expression): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]); $policy['version'] = 3; $policy['bindings'][] = [ 'role' => $role, 'members' => $members, 'condition' => [ 'title' => $title, 'description' => $description, 'expression' => $expression, ], ]; $bucket->iam()->setPolicy($policy); printf('Added the following member(s) with role %s to %s:' . PHP_EOL, $role, $bucketName); foreach ($members as $member) { printf(' %s' . PHP_EOL, $member); } printf('with condition:' . PHP_EOL); printf(' Title: %s' . PHP_EOL, $title); printf(' Description: %s' . PHP_EOL, $description); printf(' Expression: %s' . PHP_EOL, $expression);}Python
fromgoogle.cloudimportstoragedefadd_bucket_conditional_iam_binding(bucket_name,role,title,description,expression,members):"""Add a conditional IAM binding to a bucket's IAM policy."""# bucket_name = "your-bucket-name"# role = "IAM role, e.g. roles/storage.objectViewer"# members = {"IAM identity, e.g. user: name@example.com}"# title = "Condition title."# description = "Condition description."# expression = "Condition expression."storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)policy=bucket.get_iam_policy(requested_policy_version=3)# Set the policy's version to 3 to use condition in bindings.policy.version=3policy.bindings.append({"role":role,"members":members,"condition":{"title":title,"description":description,"expression":expression,},})bucket.set_iam_policy(policy)print(f"Added the following member(s) with role{role} to{bucket_name}:")formemberinmembers:print(f"{member}")print("with condition:")print(f" Title:{title}")print(f" Description:{description}")print(f" Expression:{expression}")Ruby
defadd_bucket_conditional_iam_bindingbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namerole="roles/storage.objectViewer"member="group:example@google.com"title="Title"description="Description"expression="resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"bucket.policyrequested_policy_version:3do|policy|policy.version=3policy.bindings.insert(role:role,members:member,condition:{title:title,description:description,expression:expression})endputs"Added#{member} with role#{role} to#{bucket_name} with condition#{title}#{description}#{expression}"end
REST APIs
JSON
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Use a
GET getIamPolicyrequest to save the bucket'sIAM policy to a temporary JSON file:curl \'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam' \--header 'Authorization: Bearer $(gcloud auth print-access-token)' > tmp-policy.json
Where
BUCKET_NAMEis the name of the relevantbucket. For example,my-bucket.Edit the
tmp-policy.jsonfile in a text editor to add new conditionsto the bindings in the IAM policy:{ "version":VERSION, "bindings": [ { "role": "IAM_ROLE", "members": [ "PRINCIPAL_IDENTIFIER" ], "condition": { "title": "TITLE", "description": "DESCRIPTION", "expression": "EXPRESSION" } } ], "etag": "ETAG"}Where:
VERSIONis theIAM policy version, which is required to be 3for buckets with IAM Conditions.IAM_ROLEis the role to which the conditionapplies. For example,roles/storage.objectViewer.PRINCIPAL_IDENTIFIERidentifies who thecondition applies to. For example,user:jeffersonloveshiking@gmail.com.For a list of principal identifier formats, seePrincipal identifiers.TITLEis the title of the condition. Forexample,expires in 2019.DESCRIPTIONis an optional description ofthe condition. For example,Permission revoked on New Year's.EXPRESSIONis anattribute-basedlogic expression. For example,request.time < timestamp(\"2019-01-01T00:00:00Z\"). For moreexamples of expressions, see theConditions attribute reference.Note that Cloud Storage only supports thedate/time,resource type, andresource name attributes.
Don't modify
ETAG.Use a
PUT setIamPolicyrequest to set the modifiedIAM policy on the bucket:curl -X PUT --data-binary @tmp-policy.json \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where
BUCKET_NAMEis the name of the relevantbucket. For example,my-bucket.
Remove a condition from a bucket
Console
- In the Google Cloud console, go to the Cloud StorageBuckets page.
In the list of buckets, click the name of the bucket that you want toremove a condition from.
In theBucket details page, click thePermissions tab.
The IAM policy that applies to the bucket appears inthePermissions section.
Click theEdit iconedit for the principalassociated with the condition.
In theEdit access overlay that appears, click the name of thecondition you want to delete.
In theEdit condition overlay that appears, clickDelete, thenConfirm.
ClickSave.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.
Command line
Use the
buckets get-iam-policycommand to save the bucket'sIAM policy to a temporary JSON file.gcloud storage buckets get-iam-policy gs://BUCKET_NAME > tmp-policy.json
Edit the
tmp-policy.jsonfile in a text editor to removeconditions from the IAM policy.Use
buckets set-iam-policyto set the modifiedIAM policy on the bucket.gcloud storage buckets set-iam-policy gs://BUCKET_NAME tmp-policy.json
Code samples
For more information, see theCloud StorageC++ API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageC# API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageGo API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageJava API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageNode.js API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePHP API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePython API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageRuby API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.C++
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&role,std::stringconst&condition_title,std::stringconst&condition_description,std::stringconst&condition_expression){autopolicy=client.GetNativeBucketIamPolicy(bucket_name,gcs::RequestedPolicyVersion(3));if(!policy)throwstd::move(policy).status();policy->set_version(3);auto&bindings=policy->bindings();autoe=std::remove_if(bindings.begin(),bindings.end(),[role,condition_title,condition_description,condition_expression](gcs::NativeIamBindingb){return(b.role()==role &&b.has_condition()&&b.condition().title()==condition_title&&b.condition().description()==condition_description&&b.condition().expression()==condition_expression);});if(e==bindings.end()){std::cout <<"No matching binding group found.\n";return;}bindings.erase(e);autoupdated=client.SetNativeBucketIamPolicy(bucket_name,*policy);if(!updated)throwstd::move(updated).status();std::cout <<"Conditional binding was removed.\n";}C#
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.Linq;publicclassRemoveBucketConditionalIamBindingSample{publicPolicyRemoveBucketConditionalIamBinding(stringbucketName="your-unique-bucket-name",stringrole="roles/storage.objectViewer",stringtitle="title",stringdescription="description",stringexpression="resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"){varstorage=StorageClient.Create();varpolicy=storage.GetBucketIamPolicy(bucketName,newGetBucketIamPolicyOptions{RequestedPolicyVersion=3});// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.policy.Version=3;varbindingsToRemove=policy.Bindings.Where(binding=>binding.Role==role &&binding.Condition!=null &&binding.Condition.Title==title &&binding.Condition.Description==description &&binding.Condition.Expression==expression).ToList();if(bindingsToRemove.Count() >0){foreach(varbindinginbindingsToRemove){policy.Bindings.Remove(binding);}// Set the modified IAM policy to be the current IAM policy.policy=storage.SetBucketIamPolicy(bucketName,policy);Console.WriteLine("Conditional Binding was removed.");}else{Console.WriteLine("No matching conditional binding found.");}returnpolicy;}}Go
import("context""fmt""io""time""cloud.google.com/go/storage")// removeBucketConditionalIAMBinding removes bucket conditional IAM binding.funcremoveBucketConditionalIAMBinding(wio.Writer,bucketName,role,title,description,expressionstring)error{// bucketName := "bucket-name"// role := "bucket-level IAM role"// title := "condition title"// description := "condition description"// expression := "condition expression"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()bucket:=client.Bucket(bucketName)policy,err:=bucket.IAM().V3().Policy(ctx)iferr!=nil{returnfmt.Errorf("Bucket(%q).IAM().V3().Policy: %w",bucketName,err)}// Find the index of the binding matching inputs.i:=-1forj,binding:=rangepolicy.Bindings{ifbinding.Role==role &&binding.Condition!=nil{condition:=binding.Conditionifcondition.Title==title&&condition.Description==description&&condition.Expression==expression{i=j}}}ifi==-1{returnfmt.Errorf("no matching binding group found")}// Get a slice of the bindings, removing the binding at index i.policy.Bindings=append(policy.Bindings[:i],policy.Bindings[i+1:]...)iferr:=bucket.IAM().V3().SetPolicy(ctx,policy);err!=nil{returnfmt.Errorf("Bucket(%q).IAM().V3().SetPolicy: %w",bucketName,err)}// NOTE: It may be necessary to retry this operation if IAM policies are// being modified concurrently. SetPolicy will return an error if the policy// was modified since it was retrieved.fmt.Fprintln(w,"Conditional binding was removed")returnnil}Java
importcom.google.cloud.Binding;importcom.google.cloud.Condition;importcom.google.cloud.Policy;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.util.ArrayList;importjava.util.Iterator;importjava.util.List;publicclassRemoveBucketIamConditionalBinding{/** Example of removing a conditional binding to the Bucket-level IAM */publicstaticvoidremoveBucketIamConditionalBinding(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// For more information please read:// https://cloud.google.com/storage/docs/access-control/iamStoragestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();PolicyoriginalPolicy=storage.getIamPolicy(bucketName,Storage.BucketSourceOption.requestedPolicyVersion(3));Stringrole="roles/storage.objectViewer";// getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.List<Binding>bindings=newArrayList(originalPolicy.getBindingsList());// Create a condition to compare againstCondition.BuilderconditionBuilder=Condition.newBuilder();conditionBuilder.setTitle("Title");conditionBuilder.setDescription("Description");conditionBuilder.setExpression("resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")");Iteratoriterator=bindings.iterator();while(iterator.hasNext()){Bindingbinding=(Binding)iterator.next();booleanfoundRole=binding.getRole().equals(role);booleanconditionsEqual=conditionBuilder.build().equals(binding.getCondition());// Remove condition when the role and condition are equalif(foundRole &&conditionsEqual){iterator.remove();break;}}// Update policy to remove conditional bindingPolicy.BuilderupdatedPolicyBuilder=originalPolicy.toBuilder();updatedPolicyBuilder.setBindings(bindings).setVersion(3);PolicyupdatedPolicy=storage.setIamPolicy(bucketName,updatedPolicyBuilder.build());System.out.println("Conditional Binding was removed.");}}Node.js
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The role to grant// const roleName = 'roles/storage.objectViewer';// The members to grant the new role to// const members = [// 'user:jdoe@example.com',// 'group:admins@example.com',// ];// Create a condition// const title = 'Title';// const description = 'Description';// const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionremoveBucketConditionalBinding(){// Get a reference to a Google Cloud Storage bucketconstbucket=storage.bucket(bucketName);// Gets and updates the bucket's IAM policyconst[policy]=awaitbucket.iam.getPolicy({requestedPolicyVersion:3});// Set the policy's version to 3 to use condition in bindings.policy.version=3;// Finds and removes the appropriate role-member group with specific condition.constindex=policy.bindings.findIndex(binding=>binding.role===roleName&&binding.condition&&binding.condition.title===title&&binding.condition.description===description&&binding.condition.expression===expression);constbinding=policy.bindings[index];if(binding){policy.bindings.splice(index,1);// Updates the bucket's IAM policyawaitbucket.iam.setPolicy(policy);console.log('Conditional Binding was removed.');}else{// No matching role-member group with specific condition were foundthrownewError('No matching binding group found.');}}removeBucketConditionalBinding().catch(console.error);PHP
use Google\Cloud\Storage\StorageClient;/** * Removes a conditional IAM binding from a bucket's IAM policy. * * To see how to express a condition in CEL, visit: * @see https://cloud.google.com/storage/docs/access-control/iam#conditions. * * @param string $bucketName The name of your Cloud Storage bucket. * (e.g. 'my-bucket') * @param string $role the role that will be given to members in this binding. * (e.g. 'roles/storage.objectViewer') * @param string $title The title of the condition. (e.g. 'Title') * @param string $description The description of the condition. * (e.g. 'Condition Description') * @param string $expression Te condition specified in CEL expression language. * (e.g. 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")') */function remove_bucket_conditional_iam_binding(string $bucketName, string $role, string $title, string $description, string $expression): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]); $policy['version'] = 3; $key_of_conditional_binding = null; foreach ($policy['bindings'] as $key => $binding) { if ($binding['role'] == $role && isset($binding['condition'])) { $condition = $binding['condition']; if ($condition['title'] == $title && $condition['description'] == $description && $condition['expression'] == $expression) { $key_of_conditional_binding = $key; break; } } } if ($key_of_conditional_binding != null) { unset($policy['bindings'][$key_of_conditional_binding]); // Ensure array keys are sequential, otherwise JSON encodes // the array as an object, which fails when calling the API. $policy['bindings'] = array_values($policy['bindings']); $bucket->iam()->setPolicy($policy); print('Conditional Binding was removed.' . PHP_EOL); } else { print('No matching conditional binding found.' . PHP_EOL); }}Python
fromgoogle.cloudimportstoragedefremove_bucket_conditional_iam_binding(bucket_name,role,title,description,expression):"""Remove a conditional IAM binding from a bucket's IAM policy."""# bucket_name = "your-bucket-name"# role = "IAM role, e.g. roles/storage.objectViewer"# title = "Condition title."# description = "Condition description."# expression = "Condition expression."storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)policy=bucket.get_iam_policy(requested_policy_version=3)# Set the policy's version to 3 to use condition in bindings.policy.version=3condition={"title":title,"description":description,"expression":expression,}policy.bindings=[bindingforbindinginpolicy.bindingsifnot(binding["role"]==roleandbinding.get("condition")==condition)]bucket.set_iam_policy(policy)print("Conditional Binding was removed.")Ruby
defremove_bucket_conditional_iam_bindingbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namerole="roles/storage.objectViewer"title="Title"description="Description"expression="resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"bucket.policyrequested_policy_version:3do|policy|policy.version=3binding_to_remove=nilpolicy.bindings.eachdo|b|condition={title:title,description:description,expression:expression}ifb.role==role &&b.condition&&b.condition.title==title&&b.condition.description==description&&b.condition.expression==expressionbinding_to_remove=bendendifbinding_to_removepolicy.bindings.removebinding_to_removeputs"Conditional Binding was removed."elseputs"No matching conditional binding found."endendend
REST APIs
JSON
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Use a
GET getIamPolicyrequest to save the bucket'sIAM policy to a temporary JSON file:curl \'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam' \--header 'Authorization: Bearer $(gcloud auth print-access-token)' > tmp-policy.json
Where
BUCKET_NAMEis the name of the bucketyou are granting access to. For example,my-bucket.Edit the
tmp-policy.jsonfile in a text editor to remove conditionsfrom the IAM policy.Use a
PUT setIamPolicyrequest to set the modifiedIAM policy on the bucket:curl -X PUT --data-binary @tmp-policy.json \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where
BUCKET_NAMEis the name of the bucketwhose IAM policy you want to modify. For example,my-bucket.
Best practices
You should set the minimum role needed to give the principalthe required access. For example, if a team member only needs to readobjects stored in a bucket, grant them the Storage Object Viewer(roles/storage.objectViewer) role instead of the Storage Object Admin(roles/storage.objectAdmin) role. Similarly, if the team member needs fullcontrol of objects in the bucket but not the bucket itself, grant them theStorage Object Admin (roles/storage.objectAdmin) role instead of theStorage Admin (roles/storage.admin) role.
What's next
- Learn how topublicly share your data.
- See specificSharing and collaboration examples.
- Learn aboutbest practices when using IAM.
- Learn how touse role recommendations for buckets.
- To troubleshoot failed operations related to IAM roles andpermissions, seeTroubleshooting.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.