Cloud Storage managed folders providefine-grained access control to objects in Cloud Storage buckets. Permissionscan be set at a folder level within buckets that use universal bucket-levelaccess. When transferring objects between Cloud Storage buckets withStorage Transfer Service, these managed folder permissions can be retained.

Limitations

The following limitations apply to transfers of managed folders:

• The destination bucket must useuniform bucket-level access.
• Managed folder transfers do not support thedeleteObjectsUniqueInSinkordeleteObjectsFromSourceAfterTransfer options.
• There must be noIAM Conditions on thedestination bucket or its project thatuse thebucket resource type (storage.googleapis.com/Bucket) or theobject resource type (storage.googleapis.com/Object). If any bucket withina project has an IAM Condition that uses either of these resource types,managed folders cannot be transferred to any of the buckets within thatproject, even if the condition is later removed.
• Event-driven transfers are not supported.
• Manifest transfers are not supported.

IAM permissions

The following Google Cloud Identity and Access Management (IAM)permissions are required by the Google-managed service account.

For both the source and the destination, permissions can be set at the bucketlevel, or can beset on the managed folder.To set permissions on a destination managed folder, that folder must alreadyexist.

We do not recommend setting managed folder permissions at a project level;seeSecurity considerations for additional info.

On the source bucket or managed folder:

• storage.managedFolders.getIamPolicy
• storage.managedFolders.list
• storage.managedFolders.get

On the destination bucket or managed folder:

• storage.managedFolders.setIamPolicy
• storage.managedFolders.list
• storage.managedFolders.create

These are in addition to the standard permissions required by Storage Transfer Service:

• Configure access to a source: Cloud Storage
• Configure access to a sink: Cloud Storage

To grant the required managed folder permissions,create a custom role with only thepermissions required.

Create a managed folder transfer

To create a transfer containing a managed folder, specifymanagedFolderTransferEnabled: true in yourtransferSpec. You can optionallyspecify apath value to transfer only a specific managed folder.

POSThttps://storagetransfer.googleapis.com/v1/transferJobs{"name":"transferjobs/NAME","projectId":"PROJECT_ID","transferSpec":{"gcsDataSource":{"bucketName":"SOURCE_BUCKET","path":"SOURCE_PATH","managedFolderTransferEnabled":true},"gcsDataSink":{"bucketName":"DESTINATION_BUCKET","path":"DESTINATION_PATH",}},"status":"ENABLED"}

If the correct managed transfer permissions are not set at the source and thedestination, the transfer fails.

SeeCreate transfersfor details on creating a transfer using the REST API, or refer to thetransferJobs.create reference.

Security considerations

Granting managed folder permissions to a Google-managed service account enablesthe account to modify IAM policies on destination folders, or on all foldersif the role is granted at the project level. This poses a security risk:a user with job edit permissions could exploit this to grant privileges to amalicious actor. To mitigate this risk, consider isolating managed foldertransfers within a dedicated Google Cloud project.

Cloud Logging

Managed folder actions are logged by Cloud Logging. SeeCloud Logging for Storage Transfer Servicefor details.

Troubleshooting

For help creating and managing managed folders, refer to theTroubleshooting page.