Google Cloud Storage uses scopes to determine what permissions an identity has on a specified resource. Google scopes are formatted as urls. There are three basic types: read-only, read-write and full-control.

read-only

Only allows access to read data, including listing buckets.

https://www.googleapis.com/auth/devstorage.read_only

read-write

Allows access to read and change data, but not metadata like IAM policies.

https://www.googleapis.com/auth/devstorage.read_write

full-control

Allows full control over data, including the ability to modify IAM policies.

https://www.googleapis.com/auth/devstorage.full_control

For example, if you wanted to create a presigned url for a file download in C#:

Documentation for Scopes
Documentation for UrlSigner