Stay organized with collections
Save and categorize content based on your preferences.
This page
applies to Apigee and Apigee hybrid.
Identity and Access Management (IAM) Conditions lets you to define and enforce conditional access control for Google Cloud resources, including API hub resources. For more information about IAM Conditions, see Overview of IAM Conditions.
resource.service condition attribute:
Use to configure conditional access based on the Google Cloud service being used.
For example, you can set a condition limiting a user's access to resources that use the apihub.googleapis.com. For a list of supported values, see Resource service values.
resource.type condition attribute: Use to configure conditional access based on the type of resource being accessed. For example, you can set a condition limiting a user's access to apihub.googleapis.com/Api. For a list of supported values, see Resource type values.
resource.name condition attribute: Use to configure conditional access based on all or part of the name of a resource. For a list of supported API hub name formats, see Resource name format.
Resource tags: Use to configure conditional access based on the tags attached to a resource. For example, you can set a condition that grants a role only for resources that have the tag env: prod attached.
Add IAM condition
To add an IAM condition to a existing principal (user, group, or service account), perform the following steps:
From the list of principals, find the principal for which you want to add the IAM condition, and click
edit (Edit principal).
The Edit access pane appears.
Find the role to which you want to add the IAM condition and click + Add IAM Condition.
In the Add condition pane, provide the following information:
Title: Enter a name for the condition that you're adding to the role.
Description: (Optional) Enter a description for the condition.
You can add a condition using either the Condition builder or the Condition editor.
The Condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The Condition editor provides a text-based interface to manually enter a condition expression using CEL syntax.
For detailed instructions about how to use the Condition builder or the Condition editor, see Configure resource-based access.
Click Save to apply the condition.
Click Save again from the Edit access pane to update the principal.
Examples of using IAM conditions for API hub
Example 1: Access control for all API resources starting with a prefix or based on a Tag.
The following condition expression defines access control as follows:
Access to API resources starting with prefix. This includes access to all API resources (API versions, deployments, specifications, operations, and definitions) under that prefix.
Access to API resources that have a specific tag applied, regardless of their name.
Default role-based non-conditional access to other API hub resources.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis content focuses on using Identity and Access Management (IAM) Conditions to control access to API hub resources within Google Cloud, applicable to both Apigee and Apigee hybrid.\u003c/p\u003e\n"],["\u003cp\u003eIAM Conditions in API hub utilize resource attributes like \u003ccode\u003eresource.service\u003c/code\u003e, \u003ccode\u003eresource.type\u003c/code\u003e, and \u003ccode\u003eresource.name\u003c/code\u003e to define access control, allowing for restrictions based on the service, resource type, or specific resource names.\u003c/p\u003e\n"],["\u003cp\u003eAdding an IAM condition involves navigating to the IAM page in the Google Cloud console, selecting a principal, and then using either the Condition builder or Condition editor to define the access criteria.\u003c/p\u003e\n"],["\u003cp\u003eExamples provided demonstrate using IAM conditions to control access to API resources based on name prefixes and specific resource types and names, allowing for granular control over different API components.\u003c/p\u003e\n"],["\u003cp\u003eThe content provide code snippets for specific scenarios, such as controlling access to API resources starting with a specific prefix or managing access to multiple API resources with distinct names and versions.\u003c/p\u003e\n"]]],[],null,["# Add IAM conditions\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\nIdentity and Access Management (IAM) Conditions lets you to define and enforce conditional access control for Google Cloud resources, including API hub resources. For more information about IAM Conditions, see [Overview of IAM Conditions](/iam/docs/conditions-overview).\n\nIn API hub, you can enforce conditional access based on the following [IAM resource condition attributes](/iam/docs/conditions-attribute-reference#resource):\n\n- **resource.service condition attribute** : Use to configure conditional access based on the Google Cloud service being used. For example, you can set a condition limiting a user's access to resources that use the `apihub.googleapis.com`. For a list of supported values, see [Resource service values](/iam/docs/conditions-resource-attributes#resource-service).\n- **resource.type condition attribute** : Use to configure conditional access based on the type of resource being accessed. For example, you can set a condition limiting a user's access to `apihub.googleapis.com/Api`. For a list of supported values, see [Resource type values](/iam/docs/conditions-resource-attributes#resource-type).\n- **resource.name condition attribute** : Use to configure conditional access based on all or part of the name of a resource. For a list of supported API hub name formats, see [Resource name format](/iam/docs/conditions-resource-attributes#resource-name).\n- **Resource tags** : Use to configure conditional access based on the [tags](/apigee/docs/apihub/attach-manage-tags) attached to a resource. For example, you can set a condition that grants a role only for resources that have the tag `env: prod` attached.\n\nAdd IAM condition\n-----------------\n\nTo add an IAM condition to a existing principal (user, group, or service account), perform the following steps:\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n \u003cbr /\u003e\n\n [Go\n to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId)\n2. Select your project, folder, or organization.\n3. From the list of principals, find the principal for which you want to add the IAM condition, and click edit (**Edit principal** ).\n\n The **Edit access** pane appears.\n4. Find the role to which you want to add the IAM condition and click **+ Add IAM Condition**.\n5. In the **Add condition** pane, provide the following information:\n 1. **Title:** Enter a name for the condition that you're adding to the role.\n 2. **Description:** (Optional) Enter a description for the condition.\n 3. You can add a condition using either the **Condition builder** or the **Condition editor** .\n\n The **Condition builder** provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The **Condition editor** provides a text-based interface to manually enter a condition expression using [CEL](/iam/docs/conditions-overview#cel) syntax.\n\n For detailed instructions about how to use the **Condition builder** or the **Condition editor** , see [Configure resource-based access](/iam/docs/configuring-resource-based-access).\n 4. Click **Save** to apply the condition.\n6. Click **Save** again from the **Edit access** pane to update the principal.\n\n \u003cbr /\u003e\n\nExamples of using IAM conditions for API hub\n--------------------------------------------\n\n### Example 1: Access control for all API resources starting with a prefix or based on a [Tag](/apigee/docs/apihub/attach-manage-tags).\n\nThe following condition expression defines access control as follows:\n\n- Access to API resources starting with prefix. This includes access to all API resources (API versions, deployments, specifications, operations, and definitions) under that prefix.\n- Access to API resources that have a specific tag applied, regardless of their name.\n- Default role-based non-conditional access to other API hub resources.\n\n```html\n (\n resource.name.startsWith(\"projects/PROJECT_ID/locations/LOCATION/apis/API_ID_PREFIX\") ||\n resource.matchTagId(\"tagKeys/TAG_KEY\", \"tagValues/TAG_VALUE\") ||\n (\n resource.type != \"apihub.googleapis.com/Api\" &&\n resource.type != \"apihub.googleapis.com/Version\" &&\n resource.type != \"apihub.googleapis.com/Spec\" &&\n resource.type != \"apihub.googleapis.com/ApiOperation\" &&\n resource.type != \"apihub.googleapis.com/Definition\"\n )\n )\n```\n\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of your Google Cloud project.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The API hub location.\n- \u003cvar translate=\"no\"\u003eAPI_ID_PREFIX\u003c/var\u003e: The prefix for the API resource name.\n- \u003cvar translate=\"no\"\u003eTAG_KEY\u003c/var\u003e: The key of the tag to use for conditional access.\n- \u003cvar translate=\"no\"\u003eTAG_VALUE\u003c/var\u003e: The value of the tag to use for conditional access.\n\n### Example 2: Access control for multiple APIs with IAM conditions based on resource type.\n\nThe following condition expression defines access control as follows:\n\n- Access to the API hub API resources starting with prefix.\n- Access to the API hub version resource starting with a specified version ID.\n- Access to the API hub spec resources starting with a specified spec ID.\n- Default role-based non-conditional access to other API hub resources.\n\n```html\n (\n resource.service == \"apihub.googleapis.com\" &&\n resource.type == \"apihub.googleapis.com/Api\" &&\n resource.name.startsWith(\"projects/PROJECT_ID/locations/LOCATION/apis/API1_ID_PREFIX\")\n ) ||\n (\n resource.service == \"apihub.googleapis.com\" &&\n resource.type == \"apihub.googleapis.com/Version\" &&\n resource.name == \"projects/PROJECT_ID/locations/LOCATION/apis/API2_ID/versions/API2_VERSION_ID\"\n ) ||\n (\n resource.service == \"apihub.googleapis.com\" &&\n resource.type == \"apihub.googleapis.com/Spec\" &&\n resource.name == \"projects/PROJECT_ID/locations/LOCATION/apis/API3_ID/versions/API3_VERSION_ID/specs/API3_SPEC_ID\"\n ) ||\n (\n resource.type != \"apihub.googleapis.com/Api\" &&\n resource.type != \"apihub.googleapis.com/Version\" &&\n resource.type != \"apihub.googleapis.com/Spec\" &&\n resource.type != \"apihub.googleapis.com/ApiOperation\" &&\n resource.type != \"apihub.googleapis.com/Definition\"\n )\n```\nReplace the following:\n\n\u003cbr /\u003e\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of your Google Cloud project.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The API hub location.\n- \u003cvar translate=\"no\"\u003eAPI1_ID_PREFIX\u003c/var\u003e: The prefix for the first API resource name.\n- \u003cvar translate=\"no\"\u003eAPI2_ID\u003c/var\u003e: The ID of the second API resource.\n- \u003cvar translate=\"no\"\u003eAPI2_VERSION_ID\u003c/var\u003e: The ID of the second API version resource.\n- \u003cvar translate=\"no\"\u003eAPI3_ID\u003c/var\u003e: The ID of the third API resource.\n- \u003cvar translate=\"no\"\u003eAPI3_VERSION_ID\u003c/var\u003e: The ID of the third API version resource.\n- \u003cvar translate=\"no\"\u003eAPI3_SPEC_ID\u003c/var\u003e: The ID of the third API spec resource."]]
