terraform-provider-google/website/docs/r/storage_bucket_iam.html.markdown

---
layout: "google"
page_title: "Google: google_storage_bucket_iam"
sidebar_current: "docs-google-storage-bucket-iam"
description: |-
 Collection of resources to manage IAM policy for a Google storage bucket.
---

# IAM policy for Google storage bucket

Three different resources help you manage your IAM policy for storage bucket. Each of these resources serves a different use case:

* `google_storage_bucket_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the storage bucket are preserved.
* `google_storage_bucket_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the storage bucket are preserved.
* `google_storage_bucket_iam_policy`: Setting a policy removes all other permissions on the bucket, and if done incorrectly, there's a real chance you will lock yourself out of the bucket. If possible for your use case, using multiple google_storage_bucket_iam_binding resources will be much safer. See the usage example on how to work with policy correctly.


~> **Note:** `google_storage_bucket_iam_binding` resources **can be** used in conjunction with `google_storage_bucket_iam_member` resources **only if** they do not grant privilege to the same role.

## google\_storage\_bucket\_iam\_binding

```hcl
resource "google_storage_bucket_iam_binding" "binding" {
  bucket = "your-bucket-name"
  role        = "roles/storage.objectViewer"

  members = [
    "user:jane@example.com",
  ]
}
```

## google\_storage\_bucket\_iam\_member

```hcl
resource "google_storage_bucket_iam_member" "member" {
  bucket = "your-bucket-name"
  role        = "roles/storage.objectViewer"
  member      = "user:jane@example.com"
}
```

## google\_storage\_bucket\_iam\_policy

When applying a policy that does not include the roles listed below, you lose the default permissions which google adds to your bucket:
* `roles/storage.legacyBucketOwner`
* `roles/storage.legacyBucketReader`

If this happens only an entity with `roles/storage.admin` privileges can repair this bucket's policies. It is recommended to include the above roles in policies to get the same behaviour as with the other two options.

```hcl
data "google_iam_policy" "foo-policy" {
  binding {
    role = "roles/your-role"

    members = [ "group:yourgroup@example.com" ]
  }
}

resource "google_storage_bucket_iam_policy" "member" {
  bucket = "your-bucket-name"
  policy_data = "${data.google_iam_policy.foo-policy.policy_data}"
}
```


## Argument Reference

The following arguments are supported:

* `bucket` - (Required) The name of the bucket it applies to.

* `member/members` - (Required) Identities that will be granted the privilege in `role`.
  Each entry can have one of the following values:
  * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

* `role` - (Required) The role that should be applied. Note that custom roles must be of the format
    `[projects|organizations]/{parent-name}/roles/{role-name}`.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are
exported:

* `etag` - (Computed) The etag of the storage bucket's IAM policy.
Add IAM support for storage bucket (#822) * Add IAM support for storage bucket * Add documentation * Test multiple roles 2017-12-07 21:12:25 +00:00			`---`
			`layout: "google"`
			`page_title: "Google: google_storage_bucket_iam"`
			`sidebar_current: "docs-google-storage-bucket-iam"`
			`description: \|-`
			`Collection of resources to manage IAM policy for a Google storage bucket.`
			`---`

			`# IAM policy for Google storage bucket`

#843: Add policy support to storage buckets (#1190) 2018-05-08 21:00:48 +00:00			`Three different resources help you manage your IAM policy for storage bucket. Each of these resources serves a different use case:`
Add IAM support for storage bucket (#822) * Add IAM support for storage bucket * Add documentation * Test multiple roles 2017-12-07 21:12:25 +00:00
			* `google_storage_bucket_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the storage bucket are preserved.
			* `google_storage_bucket_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the storage bucket are preserved.
#843: Add policy support to storage buckets (#1190) 2018-05-08 21:00:48 +00:00			* `google_storage_bucket_iam_policy`: Setting a policy removes all other permissions on the bucket, and if done incorrectly, there's a real chance you will lock yourself out of the bucket. If possible for your use case, using multiple google_storage_bucket_iam_binding resources will be much safer. See the usage example on how to work with policy correctly.

Add IAM support for storage bucket (#822) * Add IAM support for storage bucket * Add documentation * Test multiple roles 2017-12-07 21:12:25 +00:00
			~> Note: `google_storage_bucket_iam_binding` resources can be used in conjunction with `google_storage_bucket_iam_member` resources only if they do not grant privilege to the same role.

			`## google\_storage\_bucket\_iam\_binding`

			```hcl
			`resource "google_storage_bucket_iam_binding" "binding" {`
			`bucket = "your-bucket-name"`
			`role = "roles/storage.objectViewer"`

			`members = [`
			`"user:jane@example.com",`
			`]`
			`}`
			```

			`## google\_storage\_bucket\_iam\_member`

			```hcl
			`resource "google_storage_bucket_iam_member" "member" {`
			`bucket = "your-bucket-name"`
			`role = "roles/storage.objectViewer"`
			`member = "user:jane@example.com"`
			`}`
			```

#843: Add policy support to storage buckets (#1190) 2018-05-08 21:00:48 +00:00			`## google\_storage\_bucket\_iam\_policy`

			`When applying a policy that does not include the roles listed below, you lose the default permissions which google adds to your bucket:`
			* `roles/storage.legacyBucketOwner`
			* `roles/storage.legacyBucketReader`

			If this happens only an entity with `roles/storage.admin` privileges can repair this bucket's policies. It is recommended to include the above roles in policies to get the same behaviour as with the other two options.

			```hcl
			`data "google_iam_policy" "foo-policy" {`
			`binding {`
			`role = "roles/your-role"`

			`members = [ "group:yourgroup@example.com" ]`
			`}`
			`}`

			`resource "google_storage_bucket_iam_policy" "member" {`
			`bucket = "your-bucket-name"`
			`policy_data = "${data.google_iam_policy.foo-policy.policy_data}"`
			`}`
			```


Add IAM support for storage bucket (#822) * Add IAM support for storage bucket * Add documentation * Test multiple roles 2017-12-07 21:12:25 +00:00			`## Argument Reference`

			`The following arguments are supported:`

			* `bucket` - (Required) The name of the bucket it applies to.

			* `member/members` - (Required) Identities that will be granted the privilege in `role`.
			`Each entry can have one of the following values:`
			`* allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.`
			`* allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.`
			`* user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.`
			`* serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.`
			`* group:{emailid}: An email address that represents a Google group. For example, admins@example.com.`
Replace "Google Apps domain" with "G Suite domain" Google Apps is a former name. Also, I mention primary domain and domain alias. It seems I have to use the primary domain. Otherwise, GCP replaces the field to the primary one. And every time Terraform plan returns a diff about it. I used domain alias for `members` arg in `google_project_iam_member` resource. `terraform apply` was succeeded. However, when I run modify other resources, I got a diff about the `google_project_iam_member` resource. 2018-09-22 11:51:42 +00:00			`* domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.`
Add IAM support for storage bucket (#822) * Add IAM support for storage bucket * Add documentation * Test multiple roles 2017-12-07 21:12:25 +00:00
clarify custom roles format for iam (#998) 2018-01-22 23:34:17 +00:00			* `role` - (Required) The role that should be applied. Note that custom roles must be of the format
Fixed small typos in the doc, where the custom roles names should contain "projects\|organizations" in plural form. (#1012) 2018-01-27 00:36:57 +00:00			`[projects\|organizations]/{parent-name}/roles/{role-name}`.
Add IAM support for storage bucket (#822) * Add IAM support for storage bucket * Add documentation * Test multiple roles 2017-12-07 21:12:25 +00:00
			`## Attributes Reference`

			`In addition to the arguments listed above, the following computed attributes are`
			`exported:`

#843: Add policy support to storage buckets (#1190) 2018-05-08 21:00:48 +00:00			* `etag` - (Computed) The etag of the storage bucket's IAM policy.