Cloud Storage OAuth 2.0 scopes
Most of the operations you perform in Cloud Storage must beauthenticated. The only exceptions are operations on resources that allowanonymous access. A resource has anonymous access if theallUsers group isincluded in the ACL for the resource or if theallUsers group is included inan IAM policy that applies to the resource. TheallUsers groupincludes anyone on the Internet.
Authorization is the process of determining what permissions an authenticatedidentity has on a set of specified resources. OAuth 2.0 usesscopes todetermine if an authenticated identity is authorized. Applications use acredential (obtained from a user-centric or server-centric authentication flow)together with one or more scopes to request an access token from a Googleauthorization server to access protected resources. For example, application Awith an access token withread-only scope can only read, while application Bwith an access token withread-write scope can read and modify data. Neitherapplication can read or modify access control lists on objects and buckets;only an application withfull-control scope can do so.
| Type | Description | Scope URL |
|---|---|---|
read-only | Only allows access to read data, including listing buckets. | https://www.googleapis.com/auth/devstorage.read_only |
read-write | Allows access to read and change data, but not metadata like IAM policies. | https://www.googleapis.com/auth/devstorage.read_write |
full-control | Allows full control over data, including the ability to modify IAM policies. | https://www.googleapis.com/auth/devstorage.full_control |
cloud-platform.read-only | View your data across Google Cloud services. For Cloud Storage, this is the same asdevstorage.read-only. | https://www.googleapis.com/auth/cloud-platform.read-only |
cloud-platform | View and manage data across all Google Cloud services. For Cloud Storage, this is the same asdevstorage.full-control. | https://www.googleapis.com/auth/cloud-platform |
bigquery.read-only | View your data in Google BigQuery. For Cloud Storage, this is the same asdevstorage.read-only. | https://www.googleapis.com/auth/bigquery.readonly |
bigquery | Allow access to read and write data in BigQuery. For Cloud Storage, this is the same asdevstorage.read-write. | https://www.googleapis.com/auth/bigquery |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.