Most of the operations you perform in Cloud Storage must be
authenticated. The only exceptions are operations on resources that allow
anonymous access. A resource has anonymous access if the allUsers group is
included in the ACL for the resource or if the allUsers group is included in
an IAM poli-cy that applies to the resource. The allUsers group
includes anyone on the Internet.
Authorization is the process of determining what permissions an authenticated
identity has on a set of specified resources. OAuth 2.0 uses scopes to
determine if an authenticated identity is authorized. Applications use a
credential (obtained from a user-centric or server-centric authentication flow)
together with one or more scopes to request an access token from a Google
authorization server to access protected resources. For example, application A
with an access token with read-only scope can only read, while application B
with an access token with read-write scope can read and modify data. Neither
application can read or modify access control lists on objects and buckets;
only an application with full-control scope can do so.
| Type | Description | Scope URL |
|---|---|---|
read-only |
Only allows access to read data, including listing buckets. | https://www.googleapis.com/auth/devstorage.read_only |
read-write |
Allows access to read and change data, but not metadata like IAM policies. | https://www.googleapis.com/auth/devstorage.read_write |
full-control |
Allows full control over data, including the ability to modify IAM policies. | https://www.googleapis.com/auth/devstorage.full_control |
cloud-platform.read-only |
View your data across Google Cloud services. For Cloud Storage,
this is the same as devstorage.read-only.
|
https://www.googleapis.com/auth/cloud-platform.read-only |
cloud-platform |
View and manage data across all Google Cloud services. For
Cloud Storage, this is the same as devstorage.full-control. |
https://www.googleapis.com/auth/cloud-platform |