The Professional Cloud Architect exam expects you to recognize a small set of predefined Cloud Storage IAM roles by name and know what each one lets a principal do. The list is short, but the distinctions matter, especially when an exam question hinges on giving someone the least privilege needed to upload a file or read an object.
I want to walk through the five roles you should commit to memory before sitting for the exam.
Storage Admin grants full control over Cloud Storage resources. That includes creating, configuring, and deleting buckets, plus reading, writing, and deleting objects inside them. If a question asks who can manage every aspect of a bucket and its contents, this is the role.
Because Storage Admin covers everything, I treat it as the role you assign sparingly. On the exam, watch for questions where this role is offered alongside more specific options. If a narrower role can satisfy the requirement, that narrower role is usually the right answer under a least-privilege framing.
Storage Object Admin lets a principal manage objects inside Cloud Storage buckets. That means reading, writing, and deleting individual objects, but it does not give the principal the ability to create or delete buckets or change bucket-level configuration.
This is the role I reach for when a workload needs full control of object data without any business owning the bucket itself. A pipeline that ingests files, overwrites them, and cleans them up fits Storage Object Admin cleanly.
Storage Object Creator lets a principal upload objects to Cloud Storage buckets. It is intentionally narrow. A principal with only this role can write a new object, but it cannot read existing objects, modify them, or delete them.
This is the canonical least-privilege role for a write-only ingestion path. If an application service account only needs to drop logs, telemetry, or uploaded user files into a bucket, Storage Object Creator is exactly what you want. If you see an exam question describing a workload that should be able to push data into Cloud Storage but never read it back, this is the answer.
Storage Object Viewer grants read-only access to objects in Cloud Storage buckets. The principal can list and read objects but cannot upload new ones, overwrite existing ones, or delete anything.
I use this role for downstream consumers, BI tools that read parquet files, dashboards that pull static assets, or analysts who need to inspect data in a bucket without any risk of mutating it. On the exam, Storage Object Viewer is the natural pair to Storage Object Creator. One writes, the other reads, and together they cover most narrowly-scoped Cloud Storage access patterns.
Storage Legacy Bucket Reader grants the ability to read bucket metadata and the object data inside the bucket. It is one of the legacy roles Google kept around from earlier Cloud Storage IAM models, before the more granular object-level roles existed.
You are unlikely to use this role in a greenfield design today. The reason it appears on the Professional Cloud Architect exam is that Google still references the legacy roles, and you may see one in a question about an existing project that has not been migrated to the newer role set. Recognize the name and know that it grants read access at the bucket level.
Most Cloud Storage IAM questions on the Professional Cloud Architect exam test one of two things. The first is least privilege. You are given a workload and asked which role grants the smallest permission set that still lets the workload function. The answer is almost always Storage Object Creator for write-only paths, Storage Object Viewer for read-only paths, and Storage Object Admin when the workload needs full control of the data but not the bucket.
The second pattern is recognizing what a role does not include. Storage Object Creator does not let you read. Storage Object Viewer does not let you write. Storage Object Admin does not let you create or delete buckets. If a question describes a failure mode, a service account that can upload but cannot list, for example, the role assignment is usually the explanation.
My Professional Cloud Architect course covers Cloud Storage IAM roles alongside the rest of the storage and analytics material.
