The Object Store service provides a role named storage object admin to each binding or a service key user.
The role grants full control over objects including listing, creating, viewing, and deleting objects. The list of operations supported would include the following:
storage.objects.create |
Add new objects to a bucket. |
storage.objects.delete |
Delete objects. |
storage.objects.get |
Read object data and metadata, excluding ACLs. |
storage.objects.getIamPolicy |
Read object ACLs, returned as IAM policies. |
storage.objects.list |
List objects in a bucket. Also, read object metadata, excluding ACLs, when listing. |
storage.objects.setIamPolicy |
Update object ACLs. |
storage.objects.update |
Update object metadata, excluding ACLs. |
storage.multipartUploads.create |
Upload objects in multiple parts. |
storage.multipartUploads.abort |
Abort multipart upload sessions. |
storage.multipartUploads.listParts |
List the uploaded object parts in a multipart upload session. |
storage.multipartUploads.list |
List the multipart upload sessions in a bucket. |
The Object Store service keeps access to all objects restricted to the service account user that it creates as part of service bindings and service keys. None of the objects residing in a GCS bucket are publicly accessible by default.
Access level of objects can change only if you set object ACLs.
We strongly recommend you to be careful when setting object ACLs for your buckets.
Related Information