This page provides an overview of managed folders in Cloud Storage, which exist as a resource and are different from simulated folders.
You can apply Identity and Access Management (IAM) policies to managed folders to grant principals access only to the objects within the managed folder, which lets you more finely control access for specific data sets and tables within a bucket. You can nest managed folders up to 15 levels deep, including the parent managed folder.
Managed folders can only be created in buckets that have uniform bucket-level access enabled.
IAM for managed folders
When you apply an IAM policy on a managed folder, the access
granted in the policy also applies to any object within that bucket that has the
managed folder's name as a prefix. For example, if you grant a principal the
Storage Object Viewer (roles/storage.objectViewer
) role on a managed folder
named example-bucket/example-managed-folder/
, the principal can view any
object within example-managed-folder
(such as
example-bucket/example-managed-folder/example-object.txt
).
When you nest managed folders, the permissions granted through
IAM policies are applied additively.
Read the following pages for more information about managed folders:
ManagedFolder reference page for the JSON API
Managed folder names
The name you give to a managed folder must meet the following requirements:
Managed folder names can contain any sequence of valid Unicode characters, of length 1-700 bytes when UTF-8 encoded.
Managed folder names cannot contain Carriage Return or Line Feed characters.
Managed folder names must end with
/
. At most, a managed folder name can have 15/
s. In other words, you can nest up to 15 managed folders.Managed folder names cannot start with
.well-known/acme-challenge/
.Managed folders cannot be named
.
or..
.
It is strongly recommended that you avoid the following in your managed folder names:
Control characters that are illegal in XML 1.0 (#x7F–#x84 and #x86–#x9F): these characters cause XML listing issues when you try to list your managed folders.
The
[
,]
,*
, or?
characters: the Google Cloud CLI interprets these characters as wildcards, so including them in managed folder names can make it difficult or impossible to perform wildcard operations with the tool. Additionally,*
and?
are not valid characters for file names in Windows.Sensitive or personally identifiable information (PII): managed folder names are more broadly visible than object data. For example, managed folder names appear in URLs for the object and when listing objects in a bucket.
Considerations
When working with managed folders, note the following considerations:
Managed folders can be created in place of simulated folders, which means that you can create a managed folder and name it after an object's prefix, as long as there isn't already a managed folder using that name. For example, you can create a managed folder named
my-folder/
, even if you have an existing object namedmy-folder/object.txt
. Note that the IAM policy on the managed foldermy-folder/
will then apply to all objects that hasmy-folder/
as a name prefix.You can create child managed folders before the parent managed folder is created. For example, you can create a managed folder named
my-folder-A/my-folder-B/
without first creating a managed folder namedmy-folder-A/
.By default, you can't delete a non-empty managed folder that contains objects or other child managed folders. You can bypass this rule when using the
allowNonEmpty
parameter in aDelete
ManagedFolder JSON API request.
What's next
Learn about flat namespace folders.
Upload objects to a Cloud Storage bucket.