Update IAM role for Cloudflare access to GCS bucket

nissessenap · web-flow · commit 251c5fcb2acf · 2025-10-08T07:57:08.000+02:00
There is no need for objectAdmin, when all logpush does is to push to GCS. ## Reference https://cloud.google.com/storage/docs/access-control/iam-roles#storage.objectCreator https://cloud.google.com/storage/docs/access-control/iam-roles#storage.objectAdmin
diff --git a/src/content/docs/logs/logpush/logpush-job/enable-destinations/google-cloud-storage.mdx b/src/content/docs/logs/logpush/logpush-job/enable-destinations/google-cloud-storage.mdx
@@ -22,7 +22,7 @@ Cloudflare Logpush supports pushing logs directly to Google Cloud Storage (GCS)
    - **Bucket** - GCS bucket name
    - **Path** - bucket location within the storage container
    - **Organize logs into daily subfolders** (recommended)
-   - For **Grant Cloudflare access to upload files to your bucket**, make sure your bucket has added Cloudflare’s IAM as a user with a [Storage Object Admin role](https://cloud.google.com/storage/docs/access-control/iam-roles).
+   - For **Grant Cloudflare access to upload files to your bucket**, make sure your bucket has added Cloudflare’s IAM as a user with a [Storage Object Creator role](https://cloud.google.com/storage/docs/access-control/iam-roles).
 
 When you are done entering the destination details, select **Continue**.
 
@@ -44,12 +44,12 @@ When you are done entering the destination details, select **Continue**.
 
 ## Create and get access to a GCS bucket
 
-Cloudflare uses Google Cloud Identity and Access Management (IAM) to gain access to your bucket. The Cloudflare IAM service account needs admin permission for the bucket.
+Cloudflare uses Google Cloud Identity and Access Management (IAM) to gain access to your bucket. The Cloudflare IAM service account needs object creator permission for the bucket.
 
 <Render file="enable-read-permissions" product="logs" /> <br />
 
 To enable Logpush to GCS:
 
 1. Create a GCS bucket. Refer to [instructions from GCS](https://cloud.google.com/storage/docs/creating-buckets#storage-create-bucket-console).
 
-2. In **Storage** > **Browser** > **Bucket** > **Permissions**, add the member `logpush@cloudflare-data.iam.gserviceaccount.com` with `Storage Object Admin` permission.
+2. In **Storage** > **Browser** > **Bucket** > **Permissions**, add the member `logpush@cloudflare-data.iam.gserviceaccount.com` with `Storage Object Creator` permission.
