You get a bucket, you can put things in.
When you setup a bucket you get 2 options:
In this mode, permissions are granted through both IAM and ACLs.
ACLs consist of pairs of role (READER, WRITER, OWNER) and entity,
attached to either the bucket or an object.
This is by default quite lax.
In this mode the iam roles/storage.legacy* roles are special,
turning IAM roles into bucket level ACLs,
you'll see an ACL entry for each IAM role grant.
Here, permissions are granted as roles via IAM Pretty straightforward.