Google Cloud Storage uses scopes to determine what permissions an identity has on a specified resource. Google scopes are formatted as urls. There are three basic types: read-only, read-write and full-control.


Only allows access to read data, including listing buckets.


Allows access to read and change data, but not metadata like IAM policies.


Allows full control over data, including the ability to modify IAM policies.

For example, if you wanted to create a presigned url for a file download in C#:

Documentation for Scopes
Documentation for UrlSigner