Google Cloud Storage uses scopes to determine what permissions an identity has on a specified resource. Google scopes are formatted as urls. There are three basic types: read-only, read-write and full-control.

read-only

Only allows access to read data, including listing buckets.

https://www.googleapis.com/auth/devstorage.read_only

read-write

Allows access to read and change data, but not metadata like IAM policies.

https://www.googleapis.com/auth/devstorage.read_write

full-control

Allows full control over data, including the ability to modify IAM policies.

https://www.googleapis.com/auth/devstorage.full_control

For example, if you wanted to create a presigned url for a file download in C#:

using System;
using System.Net.Http;
using System.IO;
using Google.Cloud.Storage.V1;
using Google.Apis.Auth.OAuth2;

ServiceAccountCredential cred;
var scopes = new string[] { "https://www.googleapis.com/auth/devstorage.read_only" };

cred = GoogleCredential
                 .GetApplicationDefault().
                 .CreateScoped(scopes)
                 .UnderlyingCredential as ServiceAccountCredential;

UrlSigner urlSigner = UrlSigner.FromServiceAccountCredential(cred);

var bucketName = "mybucket";
var objectName = "myfile.txt";

string url = urlSigner.Sign(
                  bucketName,
                  objectName,
                  TimeSpan.FromHours(1),
                  HttpMethod.Get);

Console.WriteLine(url);

Documentation for Scopes
Documentation for UrlSigner