You get a bucket, you can put things in.
When you setup a bucket you get 2 options:
In this mode, permissions are granted through both IAM and ACLs.
ACLs consist of pairs of role (
OWNER) and entity,
attached to either the bucket or an object.
This is by default quite lax.
In this mode the iam
roles/storage.legacy* roles are special,
turning IAM roles into bucket level ACLs,
you'll see an ACL entry for each IAM role grant.
Here, permissions are granted as roles via IAM Pretty straightforward.