Storage Transfer Service uses a
Google-managed service account,
known as a service agent,
to move data from a Cloud Storage source bucket. This service agent
is created the first time that you call
googleServiceAccounts.get
.
The source bucket does not need to belong to the same project as the service agent. The steps are the same regardless of which project the bucket is in.
User permissions
In order to grant the required permissions to the service agent, you must have the relevant permissions on the source bucket:
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
The Storage Legacy Bucket Owner role (roles/storage.legacyBucketOwner
) or
the Storage Admin role (roles/storage.admin
) provide the required
permissions.
Auto-granting permissions in the Google Cloud console
If you're using the Google Cloud console to create your transfer, and have the permissions listed in User permissions, the service agent will automatically be granted the required permissions on your source bucket.
You can skip the steps on this page and go directly to creating a transfer.
Required permissions
The service agent must have the following permissions for the source bucket:
Permission | Description |
---|---|
storage.buckets.get |
Allows the service agent to get the location of the bucket. |
storage.objects.list |
Allows the service agent to list objects in the bucket. |
storage.objects.get |
Allows the service agent to read objects in the bucket. |
storage.objects.create |
Allows the service agent to create objects in the bucket. Required if the transfer is to a file system. Storage Transfer Service creates and
populates two folders in the source bucket: |
storage.objects.delete |
Allows the service agent to delete objects in the bucket. Required
if you set deleteObjectsFromSourceAfterTransfer to
true .
|
The following predefined roles together grant the required permissions:
- One of:
- Storage Object Viewer (
roles/storage.objectViewer
) if the transfer is to another Cloud Storage bucket. - Storage Object Creator (
roles/storage.objectCreator
) if the transfer is to a file system.
- Storage Object Viewer (
- Plus one of:
- Storage Legacy Bucket Writer (
roles/storage.legacyBucketWriter
) if object delete permission is required. - Storage Legacy Bucket Reader (
roles/storage.legacyBucketReader
) if object delete permission is not required.
- Storage Legacy Bucket Writer (
Any Cloud Storage role marked as a legacy
role can only be granted at the
bucket level.
For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.
For object ACLs when ACL_PRESERVE is set, the Storage Legacy Object Owner role (roles/storage.legacyObjectOwner
) is additionally required for the source object. For ACL_PRESERVE, manually add the service account to have the Storage Legacy Object Owner role to give the source object permission storage.objects.getIamPolicy
.
Grant the required permissions
To grant the required permissions to the service agent, follow the steps below.
Find the service agent's email
Go to the
googleServiceAccounts.get
reference page.An interactive panel opens, titled Try this method.
In the panel, under Request parameters, enter your project ID. The project you specify here must be the project you're using to manage Storage Transfer Service, which might be different from the source bucket's project.
Click Execute.
Your service agent's email is returned as the value of
accountEmail
. Copy this value.The service agent's email uses the format
project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com
.
Add the service agent to a bucket-level policy
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
Click the Bucket overflow menu (
) associated with the bucket to which you want to grant a principal a role.Choose Edit access.
Click the + Add principal button.
In the New principals field, enter your service agent's account email.
Select
Storage Object Viewer
orStorage Object Creator
from the Select a role drop-down menu.Click Add another role.
Select either
Storage Legacy Bucket Writer
orStorage Legacy Bucket Reader
.Click Save.
gcloud
Use the gcloud storage buckets add-iam-policy-binding
command:
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME \ --member=serviceAccount:YOUR_AGENT_EMAIL --role=roles/storage.objectViewer
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME \ --member=serviceAccount:YOUR_AGENT_EMAIL --role=roles/storage.legacyBucketReader
Where:
BUCKET_NAME
is the name of the bucket you are granting the principal access to. For example,my-bucket
.YOUR_AGENT_EMAIL
is the agent account email you copied in Find the service agent's email.
Code samples
C++
To learn how to install and use the client library for Cloud Storage, see Cloud Storage client libraries. For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
To learn how to install and use the client library for Cloud Storage, see Cloud Storage client libraries. For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Cloud Storage, see Cloud Storage client libraries. For more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Storage, see Cloud Storage client libraries. For more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Storage, see Cloud Storage client libraries. For more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Cloud Storage, see Cloud Storage client libraries. For more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Storage, see Cloud Storage client libraries. For more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
To learn how to install and use the client library for Cloud Storage, see Cloud Storage client libraries. For more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
JSON
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorization
header.Create a JSON file that contains the following information:
{ "bindings":[ { "role": "roles/storage.objectViewer", "members":[ "YOUR_AGENT_EMAIL" ] }, { "role": "roles/storage.legacyBucketReader", "members":[ "YOUR_AGENT_EMAIL" ] } ] }
Where:
Use
cURL
to call the JSON API with aPUT setIamPolicy
request:curl -X PUT --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
JSON_FILE_NAME
is the path for the file that you created in Step 2.OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket to which you want to give the principal access. For example,my-bucket
.