Attribute reference for IAM Conditions

This topic describes supported attributes in a condition expression.

Supported condition attributes

The following sections summarize the supported attributes and indicate which Google Cloud services recognize each attribute.

Resource attributes

The following attributes relate to the resource that is the subject of the request.

Attribute Usage summary Supported Google Cloud services
Resource service attribute Manage access based on the Google Cloud service being used.
  • Cloud Key Management Service
  • Cloud Spanner
  • Cloud Storage
  • Compute Engine
  • Identity-Aware Proxy
  • Pub/Sub Lite
  • Resource Manager (resource type and resource service only)
  • Secret Manager
Resource type attribute Manage access based on the resource type.
Resource name attribute Manage access based on the name of the resource.
Resource tags Manage access based on the tags attached to the resource. All Google Cloud services

For more details about resource attributes, see Resource attributes on this page.

Request attributes

The following attributes relate to the details of the request.

Attribute Usage summary Supported Google Cloud services

Access levels attribute

Manage access based on specific access level(s).

An access level is a calculated attribute based on raw attributes about the request and requester, such as origin IP address, device attributes, time of day, and more. For example, an onNetwork access level might require that the device making the request originates from a particular IP address range. Access levels are defined by organization's administrators.

Identity-Aware Proxy

API attributes

Manage access based on data provided by a specific Google Cloud API or service.
  • Cloud Storage
  • Identity and Access Management
  • AI Platform Notebooks
  • API Gateway
  • AutoML
  • Certificate Authority Service
  • Cloud Functions
  • Cloud Healthcare API
  • Cloud IoT
  • Cloud Key Management Service
  • Cloud Run
  • Cloud Runtime Configuration API
  • Compute Engine
  • Container Analysis
  • Dataproc
  • Earth Engine
  • Game Servers
  • Identity and Access Management
  • Identity-Aware Proxy
  • Managed Service for Microsoft Active Directory
  • Resource Manager
  • Secret Manager
  • Service Management

Date/time attributes

Set expirable, scheduled, or limited-duration access to Google Cloud resources.

All Google Cloud services

Destination IP/port attributes

Manage access based on the destination IP address and/or port of a request. For example, a Compute Engine virtual machine (VM) instance might expose an external IP, such as 10.0.0.2, but port 22 might be exposed for administrative usage only.

Current usage is primarily for Identity-Aware Proxy TCP forwarding.

Identity-Aware Proxy

Forwarding rule attributes

Specify the types of forwarding rules that a member can create. For example, you could allow a member to create forwarding rules for internal Google Cloud load balancers, which handle traffic that originates inside a Google Cloud network, but not for external Google Cloud load balancers, which handle traffic that originates from the internet.

URL path/host attributes

Manage access based on the URL path and/or host of a request. For example, a condition could specify that https://example.com is the main application accessible by a general domain of users, while https://hr.example.com/admin is used to access a page in the application where only Human Resources admins can access this portion.

Identity-Aware Proxy

For more details about request attributes, see Request attributes on this page.

Support for inherited conditions

Some types of Google Cloud resources do not allow conditions in their IAM policies. However, you can add conditional role bindings at the organization, folder, or project level, and other resources will inherit those role bindings through the resource hierarchy. For details, see Resources that accept conditional role bindings.

When you use attributes at the organization, folder, or project level, keep in mind that most attributes are available only for specific resource types. Starting on February 26, 2021, if part of a condition uses an attribute that is not available, then that part of the condition is never interpreted as granting access. For example, the condition destination.port == 21 will never grant access to any BigQuery resource, because BigQuery resources do not provide the destination IP/port attributes.

To prevent this issue, use the resource type and resource service attributes described on this page to limit the scope of the condition. For example, the following condition evaluates to true for all resource types other than Identity-Aware Proxy tunnel instances; in contrast, for Identity-Aware Proxy tunnel instances, the condition checks the destination port:

resource.type != 'iap.googleapis.com/TunnelInstance' ||
    destination.port == 21

You do not need to limit the scope of conditions that check the tags attached to a resource. When a condition checks tag keys and values, it cannot check any other attributes, including the resource type and resource service.

Resource attributes

The resource service, resource type, and resource name attributes are typically used to change the scope of an access grant provided by the role binding. When a role contains permissions that apply to different resource-specific attributes, resource-based conditions can be used to grant a subset of the role's permissions for specific type(s) or for specific service(s).

resource.service attribute

The resource.service attribute lets you set a condition based on the Google Cloud service being used. For example, you could set a condition limiting a user's access to resources that use the cloudresourcemanager.googleapis.com service.

Attribute variable resource.service
Attribute type String
Supported operators ==, !=
Supported operand String


For a list of all supported resource service string literals, see Resource attributes for IAM Conditions.

Discussion The variable resource.service, if used, is intended for equality or inequality comparisons.

Note: The .startsWith(<prefix string>), and .endsWith(<suffix string>) functions are not intended to be used with the resource.service attribute. It is not recommended due to unexpected evaluation results.

Examples

Example 1: 

resource.service == "compute.googleapis.com"
Supported services
  • Cloud Key Management Service
  • Cloud Spanner
  • Cloud Storage
  • Compute Engine
  • Identity-Aware Proxy
  • Pub/Sub Lite
  • Resource Manager (resource type and resource service only)
  • Secret Manager

resource.type attribute

The resource.type attribute lets you set a condition based on the resource's type. For example, you could set a condition limiting a user's access to resources of the type storage.googleapis.com/Object.

If your condition uses the resource.name attribute, we strongly recommend that you use the resource.type attribute to control which resource types the condition applies to. For details, see resource.name attribute on this page.

Attribute variable resource.type
Attribute type String
Supported operators ==, !=
Supported operand String


For a list of all supported resource type string literals, see Resource attributes for IAM Conditions.

Discussion The variable resource.type, if used, is intended for equality or inequality comparisons.

Note: The .startsWith(<prefix string>), and .endsWith(<suffix string>) functions are not intended to be used with the resource.type attribute. It is not recommended due to unexpected evaluation results.

Examples

Example 1: 

resource.type != "compute.googleapis.com/Image"

Example 2: 

(resource.type == "compute.googleapis.com/Image" ||
 resource.type == "compute.googleapis.com/Disk")
Supported resource types
Cloud Key Management Service
  • Crypto key versions
  • Crypto keys
  • Key rings
Cloud Spanner
  • Databases
  • Instances
Cloud Storage
  • Buckets
  • Objects
Compute Engine
  • Backend services (global and regional)
  • Firewalls
  • Forwarding rules (global and regional)
  • Images
  • Instance templates
  • Instances
  • Persistent disks (regional and zonal)
  • Snapshots
  • Target HTTP(S) proxies (global and regional)
  • Target SSL proxies
  • Target TCP proxies
Google Cloud Locations1
Identity-Aware Proxy
  • All backend services and App Engine apps
  • All tunnel resources
  • All tunnel zones
  • All web services
  • App Engine app service versions
  • App Engine app services
  • Compute Engine backend services
  • Tunnel instances
Pub/Sub Lite
  • Locations
  • Subscriptions
  • Topics
Resource Manager Projects
Secret Manager
  • Secret versions
  • Secrets

1 Cloud Key Management Service uses this resource type as the parent of key ring resources.

resource.name attribute

The resource.name attribute lets you set a condition based on all or part of a resource name.

The resource.name attribute is available only for specific resource types, which are listed in the table below. We strongly recommend that you limit the applicability of the condition to the intended resource type. If a role contains permissions for a resource type that does not provide the resource.name attribute, you should ensure that those permissions are not restricted by the part of the condition that checks resource.name.

The following example shows how to ensure this behavior. In this example, the condition allows access to all resource types except Cloud Storage buckets and objects. In contrast, for buckets and objects, the condition only allows access to the bucket example-bucket and the objects it contains:

(resource.type != 'storage.googleapis.com/Bucket' &&
 resource.type != 'storage.googleapis.com/Object') ||
resource.name.startsWith('projects/_/buckets/example-bucket')

Note that the first part of the condition checks whether the resource is neither a bucket nor an object. If the resource has a different type, then the entire condition evaluates to true, regardless of the resource name.

Also, note that the condition checks the resource.type attribute, not the resource.service attribute. There are a few benefits of checking the resource.type attribute:

  • It limits the resource.name check to the appropriate set of resources. For example, if you want to grant access to Compute Engine instances with a specific name, it makes sense to exclude all resource types other than Compute Engine instances.
  • It prevents the scope of the condition from changing if a service adds new resource types in the future.

You can use the extract() function to extract a value from a resource name. For example, you can extract a project ID from the resource name of a Compute Engine VM instance, then write a condition expression that refers to the project ID. For details, see Extracting values from attributes on this page.

Attribute variable resource.name
Attribute type String
Supported operators startsWith(), endsWith(), extract(), ==, !=
Supported operand

String

Each resource type uses a specific format for the resource name. For a list of formats, see Resource name format.

Discussion

The resource.name contains the relative resource name for the target resource in the request. The relative resource name is a URI path without a leading forward slash (/).

The startsWith() function takes the prefix string literal to be evaluated against resource.name.

The endsWith() function takes the suffix string literal to be evaluated against resource.name.

The extract() function uses an extraction template to extract part of resource.name. For details, see Extracting values from resource names on this page.

The == and != operators are for comparison with the entire resource.name, or an extracted portion of the resource.name.

Examples

Example 1 (for a Compute Engine VM instance): 

resource.name.startsWith("projects/project-123/zones/us-east1-b/instances/prod-")

Example 2 (for a Cloud Storage bucket): 

resource.name.startsWith("projects/_/buckets/my_bucket/objects/test-object-")

Example 3 (for a Cloud Storage object): 

resource.name.endsWith(".jpg")

Example 4 (for multiple resource types): 

resource.name.extract("projects/{project}/")

Example 5 (for a Cloud Storage bucket): 

resource.name != "projects/_/buckets/secret-bucket-123"
Supported resource types
Cloud Key Management Service
  • Crypto keys
  • Crypto key versions
  • Key rings
Cloud Spanner
  • Databases
  • Instances
Cloud Storage
  • Buckets
  • Objects
Compute Engine
  • Backend services (global and regional)
  • Firewalls
  • Forwarding rules (global and regional)
  • Images
  • Instance templates
  • Instances
  • Persistent disks (regional and zonal)
  • Snapshots
  • Target HTTP(S) proxies (global and regional)
  • Target SSL proxies
  • Target TCP proxies
Pub/Sub Lite
  • Locations
  • Subscriptions
  • Topics
Secret Manager
  • Secret versions
  • Secrets

Resource tags

The functions for resource tags let you set a condition based on the tags that are attached to, or inherited by, a resource. For example, you could set a condition that grants a role only for resources that have the tag env: prod attached. To learn more about controlling access with tags, see Tags and access control.

Each tag consists of a key and a value. There are a few different types of identifiers for each key and value:

  • A permanent ID, which is globally unique and can never be reused. For example, a tag key could have the permanent ID tagKeys/123456789012, and a tag value could have the permanent ID tagValues/567890123456.
  • A short name. The short name for each key must be unique within your organization, and the short name for each value must be unique for its associated key. For example, a tag key could have the short name env, and a tag value could have the short name prod.
  • A namespaced name, which adds your organization's numeric ID to the short name of a tag key. For example, a tag key could have the namespaced name 123456789012/env. Learn how to get your organization ID.

For guidance on choosing which type of identifier to use in your conditions, see Tag definitions and identifiers.

You can use the following functions to work with tags:

Function Type Description
resource.hasTagKey String --> bool

Function:

Checks whether the resource for the request has a tag with the specified key. The tag key is looked up by its namespaced name. To check for a tag key using its permanent ID, use the function resource.hasTagKeyId().

Parameter: String: The namespaced name of the tag key, with the organization's numeric ID and a forward slash as a prefix. For example, 123456789012/env.

Example:

resource.hasTagKey('123456789012/env')
Returns true if the resource for the request has a tag with the key env.

resource.hasTagKeyId String --> bool

Function:

Checks whether the resource for the request has a tag with the specified key. The tag key is looked up by its permanent ID. To check for a tag key using its namespaced name, use the function resource.hasTagKey().

Parameter: String: The permanent ID for the tag key. For example, tagKeys/123456789012.

Example:

resource.hasTagKeyId('tagKeys/123456789012')
Returns true if the resource for the request has a tag with the key tagKeys/123456789012.

resource.matchTag (String, String) --> bool

Function:

Checks whether the resource for the request has a tag with the specified key and value. The key is looked up by its namespaced name, and the value is looked up by its short name. To check for a tag key and value using their permanent IDs, use the function resource.matchTagId().

Parameters:

The first String parameter is the namespaced name for the tag key, with the organization's numeric ID and a forward slash as a prefix. For example, 123456789012/env.

The second String parameter is the short name for the tag value. For example, prod.

Example:

resource.matchTag('123456789012/env', 'prod')
Returns true if the resource for the request has a tag with the key 123456789012/env and the value prod.

resource.matchTagId (String, String) --> bool

Function:

Checks whether the resource for the request has a tag with the specified key and value. The key and value are looked up by their permanent IDs. To check for a tag key using its namespaced name and a value using its short name, use the function resource.matchTag().

Parameters:

The first String parameter is the permanent ID for the tag key. For example, tagKeys/123456789012.

The second String parameter is the permanent ID for the tag value. For example, tagValues/567890123456.

Example:

resource.matchTagId('tagKeys/123456789012', 'tagValues/567890123456')
Returns true if the resource for the request has a tag with the key tagKeys/123456789012 and the value tagValues/567890123456.

Request attributes

Request attributes enable you to create conditions that evaluate details about the request, such as its access level, its date/time, the destination IP address and port (for IAP TCP tunneling), or the expected URL host/path (for IAP).

Access levels attribute

The access levels attribute enables users to set a condition requiring that a request meets specific access level(s) in order to be authorized.

The access levels attribute is derived from attributes of the request, such as the origin IP address, device attributes, the time of day, and more. For example, an access level named fullyTrusted might require that the device making the request is owned by the company and has a screen lock. An onNetwork access level might require that the device making the request originates from a particular IP address range. See the Access Context Manager docs for more information about access levels.

The access levels attribute is available only when you use Identity-Aware Proxy to access a tunnel instance, or to access a web application running on App Engine or Compute Engine backend services. More specifically, the access levels attribute is available only for requests that check one of these permissions:

  • iap.tunnelInstances.accessViaIAP
  • iap.webServiceVersions.accessViaIAP

You can use the access levels attribute when you conditionally grant the following predefined roles:

  • IAP-secured Tunnel User (roles/iap.tunnelResourceAccessor)

    Contains a single permission, iap.tunnelInstances.accessViaIAP.

  • IAP-secured Web App User (roles/iap.httpsResourceAccessor)

    Contains a single permission, iap.webServiceVersions.accessViaIAP.

You can also use the access levels attribute to conditionally grant a custom role that contains these permissions. The custom role must not contain any other permissions.

request.auth.access_levels attribute

Attribute variable request.auth.access_levels
Attribute type List of Strings
Supported operators in
Supported operand String
Discussion

The variable request.auth.access_levels appears on the right side, and a String representing a full name of the defined access level appears on the left side of the in operator.

The full name of an access level has a name formatted in the following pattern:
"accessPolicies/<policyNumber>/accessLevels/<shortName>"

Note: The access level string is case sensitive, and it must match exactly what is configured in Access Context Manager to take the intended effect. For instance, "accessPolicies/199923665455/accessLevels/CorpNet" is a valid string literal to be used in the expression, however, "accessPolicies/199923665455/accesslevels/CorpNet" will not achieve the intended effect.

Example 
"accessPolicies/199923665455/accessLevels/CorpNet"
 in request.auth.access_levels
Supported resource types Available for requests that use Identity-Aware Proxy to access a tunnel instance, or a web application running on App Engine

API attributes

API attributes help you manage access based on data provided by a specific Google Cloud API or service.

For example, when you use Cloud Storage to list the objects in a bucket, you can use the prefix parameter in the request to include only objects whose names begin with a specific prefix. If you use Credential Access Boundaries to downscope short-lived credentials, you can create a Credential Access Boundary that limits permissions to list objects by checking the API attribute storage.googleapis.com/objectListPrefix. This API attribute contains the value of the prefix parameter from the request.

For examples of when you might need to use API attributes in a condition, see the following pages:

Refer to the following sections to see which services recognize API attributes.

Functions for API attributes

You can use the following function to work with API attributes:

Function Type Description
api.getAttribute (String, T) --> T

Function: Gets the requested API attribute.

Parameters:

String: The API attribute to get. For supported values, see Cloud Storage API attributes and IAM API attributes on this page.

T: The default value to use if the API attribute is not available. Use the same type as the value of the API attribute. For example, if the value of the API attribute is a string, you can use an empty string, or a placeholder string such as undefined.

Example:

api.getAttribute("storage.googleapis.com/objectListPrefix", "")
The value of the prefix parameter that was used to list objects in a Cloud Storage bucket. For requests that omit the prefix parameter, and for other request types, returns an empty string.

hasOnly List<T>.(List<T>) --> bool

Function: Checks that a list contains only the allowed items, or a subset of those items.

Parameters:

List<T>: A list of items with type T. You call the function on a list returned by api.getAttribute(). The parameter is a list of items that the API attribute is allowed to contain.

Example:

api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', [])
    .hasOnly(['roles/pubsub.editor', 'roles/pubsub.publisher'])

Checks whether the request would grant or revoke any roles other than Pub/Sub Editor (roles/pubsub.editor) or Pub/Sub Publisher (roles/pubsub.publisher). The following table shows the result for different request values:

Granted/revoked roles Result
None

true

If no roles are modified, then api.getAttribute() returns the default value. For this attribute, the default value is always an empty list. By definition, an empty list does not contain values that are not on the allowlist.

roles/pubsub.editor

true

The role is on the allowlist.

roles/pubsub.editor
roles/pubsub.publisher

true

Both roles are on the allowlist.

roles/billing.admin

false

The role is not on the allowlist.

roles/billing.admin
roles/pubsub.editor

false

One role is on the allowlist, but the other is not.

Cloud Storage API attributes

Cloud Storage provides the following API attribute.

Attribute Type Description
storage.googleapis.com/objectListPrefix String

For a request to list objects in a bucket, contains the value of the prefix parameter from the request. The attribute is not defined if the request omits the prefix parameter.

For other types of requests, the attribute is not defined.

Services that recognize this attribute:

Only Cloud Storage recognizes this attribute.

IAM API attributes

IAM provides the following API attribute:

Attribute Type Description
iam.googleapis.com/modifiedGrantsByRole Array

For a request to set the IAM policy of a resource, this attribute contains the role names from the role bindings that the request modifies.

For other types of requests, the attribute is not defined.

Resources that accept this attribute:

The following resources accept conditions with the modifiedGrantsByRole attribute in their IAM polices:

  • Projects
  • Folders
  • Organizations

Services that recognize this attribute:

The following services recognize the modifiedGrantsByRole attribute:

  • AI Platform Notebooks
  • API Gateway
  • AutoML
  • Certificate Authority Service
  • Cloud Functions
  • Cloud Healthcare API
  • Cloud IoT
  • Cloud Key Management Service
  • Cloud Run
  • Cloud Runtime Configuration API
  • Compute Engine
  • Container Analysis
  • Dataproc
  • Earth Engine
  • Game Servers
  • Identity and Access Management
  • Identity-Aware Proxy
  • Managed Service for Microsoft Active Directory
  • Resource Manager
  • Secret Manager
  • Service Management

Date/time attribute

The date/time attribute is used to set expirable, scheduled, or limited-duration access to Google Cloud resources.

This attribute is available for all Google Cloud services and resource types.

Supported basic functions and operators

The attribute variable used for the date/time attribute is request.time, of type Timestamp. You can also convert strings to the Timestamp and Duration types.

Supported basic functions Type Description
date String --> Timestamp

Function: Convert a String to a Timestamp.
Parameter: String in the format YYYY-MM-DD, where YYYY is the year, MM is the two-digit month, and DD is the two-digit day. The resulting Timestamp contains the specified date and the time 00:00:00.000 UTC.

Example:

date("2020-02-01")
A timestamp that represents the date 2020-02-01 and the time 00:00:00.000 UTC.

duration String --> Duration

Function: Convert a String to a Duration.
Parameter: String containing a number of seconds, followed by s

Examples:

duration("90s")
A duration that represents 1.5 minutes.

duration("2592000s")
A duration that represents 30 days.

timestamp

String --> Timestamp

Function: Convert a String to a Timestamp.
Parameter: String adhering to UTC format (RFC 3339).

Examples:

timestamp("1985-04-12T23:20:50.52Z")
This represents the timestamp conversion for 20 minutes and 50.52 seconds after the 23rd hour of April 12th, 1985 in UTC.

timestamp("1996-12-19T16:39:57-08:00")
This represents the timestamp conversion for 39 minutes and 57 seconds after the 16th hour of December 19th, 1996 with an offset of -08:00 from UTC. Note that this is equivalent to 1996-12-20T00:39:57Z in UTC. This offset does not reflect timezone, for example, offset for Pacific Standard Time is -08:00 during winter, and it is -07:00 during summer to respect daylight saving.

Important Note:
The String must follow the format requirement for UTC string. Any string not compliant with UTC format will cause the timestamp() function to fail to convert to a timestamp value. As a result, the condition evaluation on the expression using timestamp() will result in a failed authorization.

<, <=, >, >=

(Timestamp, Timestamp) --> bool

Function: General comparison with Timestamp type.

Examples:

request.time < timestamp("2018-04-12T00:00:00.00Z")
request.time <= timestamp("2018-04-12T00:00:00.00Z")
request.time > timestamp("2018-04-12T00:00:00.00Z")
request.time >= timestamp("2018-04-12T00:00:00.00Z")
These expressions set the comparison of request time with a specific timestamp, which is April 12, 2018 in UTC. Commonly used for setting a "start time", or "expiration time", condition for the role grant.

Note: Given the time precision to milliseconds, including the equality and inequality comparison (==, !=) does not have significant effect.

+, - (Timestamp, Duration) --> Timestamp

Function: Add or subtract a Duration from a Timestamp.

Examples:

timestamp("2018-04-12T14:30:00.00Z") + duration("1800s")
Finds the timestamp that falls 30 minutes after 14:30:00 GMT on 2018-04-12.

timestamp("2018-04-12T14:30:00.00Z") - duration("5184000s")
Find the timestamp that falls 60 days before 14:30:00 GMT on 2018-04-12.

Supported advanced functions and operators

The attribute variable used for the date/time attribute is request.time, of type Timestamp.

Supported advanced functions Type Description

<, <=, >, >=, ==, !=

(int, int) --> bool

Function: General comparison with int type.

Discussion:
This set of comparison operators for integers are mainly used for the remaining set of "advanced functions" with Timestamp functions. All these functions (defined in the rest of this table), convert a certain portion of the timestamp value to an int. Further examples are provided for each advanced function to suggest common usage.

getDate, getDayOfMonth, getDayOfWeek, getDayOfYear

Timestamp.() --> int

Timestamp.(string) --> int

Functions:
getDate: Get the day of month from the Timestamp value using one-based indexing. In other words, the first day of the month is 1.

getDayOfMonth: Get the day of month from the Timestamp value using zero-based indexing. In other words, the first day of the month is 0.

getDayOfWeek: Get the day of the week from the Timestamp value, zero-based on Sunday. In other words, Sunday(0), Monday(1), ..., Saturday(6).

getDayOfYear: Get the day of year from the Timestamp value using zero-based indexing. In other words, the first day of the year is 0.

Parameters:
String as time zone: conversion based on date with time zone. Note: when the time zone is unspecified, the conversion will be based on date in UTC.

For more information about valid timezone strings, see Supported Time Zone Values.

Example:

request.time.getDayOfWeek() > 0 && request.time.getDayOfWeek() < 6
This expression is evaluated to true if the incoming request is sent between Monday to Friday by UTC time.

Example:

request.time.getDayOfWeek("Europe/Berlin") > 0 && request.time.getDayOfWeek(Europe/Berlin") < 6
This expression is evaluated to true if the incoming request is sent between Monday to Friday in the Berlin timezone.

Example:

request.time.getDayOfYear("America/Los_Angeles") >= 0 && request.time.getDayOfYear("America/Los_Angeles") < 5
This expression is evaluated to true if the incoming request is sent within first 5 days of the year in the Los Angeles timezone.

getFullYear

Timestamp.() --> int

Timestamp.(string) --> int

Function: Gets the year from the date.

Parameters:
Version 1: No parameter; From the date in UTC.
Version 2: Timezone string; from the date in timezone.

For more information about valid timezone strings, see Supported Time Zone Values.

Example:

request.time.getFullYear("America/Los_Angeles") == 2018
This expression is evaluated to true if incoming request is sent within the year 2018, in the Los Angeles timezone.

Example:

request.time.getFullYear() < 2020
This expression is evaluated to true if incoming request is sent before the end of 2019 in UTC.

getHours

Timestamp.() --> int

Timestamp.(string) --> int

Function: Gets hours from the date; values range from 0 to 23.

Parameters:
Version 1: No parameter; From the date in UTC.
Version 2: Timezone string; from the date in timezone.

For more information about valid timezone strings, see Supported Time Zone Values.

Example:

request.time.getHours("Europe/Berlin") >= 9 && request.time.getHours("Europe/Berlin") <= 17
This expression specifies a work hour condition. It is evaluated to true if the request is sent between 9am to 5pm in the Berlin timezone.

Note:

Combining getHours() with getDayofWeek() could be used to set a condition on legal working hours, such as for meeting a jurisdiction requirement.

getMilliseconds

Timestamp.() --> int

Timestamp.(string) --> int

Function: Gets milliseconds within a second from the timestamp; values range from 0 to 999.

Parameters:
Version 1: No parameter; From the date in UTC.
Version 2: Timezone string; from the date in timezone.

For more information about valid timezone strings, see Supported Time Zone Values.

Note:

This function is less useful, given its limited usage semantically.

getMinutes

Timestamp.() --> int

Timestamp.(string) --> int

Function: Gets minutes within an hour from the Timestamp; values range from 0 to 59.

Parameters:
Version 1: No parameter; From the date in UTC.
Version 2: Timezone string; from the date in timezone.

For more information about valid timezone strings, see Supported Time Zone Values.

Note:

This function is less useful, given its limited usage semantically.

getMonth

Timestamp.() --> int

Timestamp.(string) --> int

Function: Gets months within a year from the Timestamp; values range from 0 to 11.

Parameters:
Version 1: No parameter; From the date in UTC.
Version 2: Timezone string; from the date in timezone.

For more information about valid timezone strings, see Supported Time Zone Values.

Example:

request.time.getMonth("America/Los_Angeles") == 3
This expression is evaluated to true if the incoming request is sent during April, in the Los Angeles timezone.

getSeconds

Timestamp.() --> int

Timestamp.(string) --> int

Function: Gets seconds within one minute from the Timestamp; values range from 0 to 59.

Parameters:
Version 1: No parameter; From the date in UTC.
Version 2: Timezone string; from the date in timezone.

For more information about valid timezone strings, see Supported Time Zone Values.

Note:

This function is less useful, given its limited usage semantically.

Destination IP/port attributes

The destination IP/port attribute enables users to manage access based on the internal destination IP address and/or port for a request.

For example, a Compute Engine VM instance might map the external IP address and port 132.168.42.21:3001 to the internal IP address and port 10.0.0.1:2300 for general usage. In contrast, the internal IP address and port 10.0.0.1:22 might only be available internally for administrative usage. You can use the destination IP/port attributes to grant different amounts of access based on the internal IP address and port.

For more information about TCP forwarding, see the Identity-Aware Proxy documentation.

destination.ip attribute

Attribute variable destination.ip
Attribute type String
Supported operators ==, !=
Supported operand String
Discussion

The variable destination.ip is expected to be a String representing an internal IP address in IPv4 format.

Note: The startsWith(<prefix string of IP>) function and the endsWith(<suffix string of IP>) function are not intended to be used with the destination.ip attribute. While setting a condition such as destination.ip.startsWith(<prefix string of IP>) will not result in syntax error when executing a setIamPolicy operation, it is not recommended due to unexpected results. Prefix matching on the IP string is not recommended to perform an IP address range check on CIDRs.

Examples 
destination.ip == "10.0.0.1"
destination.ip != "10.0.0.1"
Supported resource types Available for requests that use Identity-Aware Proxy to access a tunnel instance

destination.port attribute

Attribute variable destination.port
Attribute type Integer
Supported operators ==, !=, <, <=, >, >=
Supported operand Integer
Discussion

The variable destination.port is expected to be an Integer representing an internal TCP port number.

Examples 
destination.port == 21
destination.port < 3001
Supported resource types Available for requests that use Identity-Aware Proxy to access a tunnel instance

Forwarding rule attributes

The forwarding rule attributes enable you to specify the types of forwarding rules that a member can create. For example, you could allow a member to create forwarding rules for internal Google Cloud load balancers, which handle traffic that originates inside a Google Cloud network, but not for external Google Cloud load balancers, which handle traffic that originates from the internet.

For Cloud Load Balancing, the forwarding rule attributes do not affect the ability to create other components of a Google Cloud load balancer, such as backend services, target proxies, health checks, and URL maps.

Supported functions

Supported functions Type Description
compute.isForwardingRuleCreationOperation() () --> bool

Function: Check whether the request is creating a forwarding rule.

Examples: See the examples for compute.matchLoadBalancingSchemes().

compute.matchLoadBalancingSchemes() Array.(string) --> bool

Function: Check whether the request affects one of the specified types of load balancing scheme. To find the identifier for each load balancing scheme, as well as details about each scheme, see Using IAM Conditions on Google Cloud load balancers.

Parameters: Array of Strings

Example: 

!compute.isForwardingRuleCreationOperation() || (
  compute.isForwardingRuleCreationOperation() &&
  compute.matchLoadBalancingSchemes([
    'INTERNAL', 'INTERNAL_MANAGED', 'INTERNAL_SELF_MANAGED'
  ]))
)
  • If the request is not creating a forwarding rule, grant the role to the member.
  • If the request is creating a forwarding rule, grant the role only if the forwarding rule affects an INTERNAL, INTERNAL_MANAGED, or INTERNAL_SELF_MANAGED load balancing scheme.

Supported resource types

This attribute is available for requests to create one of these resource types:

Service Resource types
Cloud Load Balancing Forwarding rules
Cloud VPN Forwarding rules (global and regional)
Compute Engine Forwarding rules (for protocol forwarding)
Traffic Director1 Forwarding rules

1 Uses the resource attributes for Compute Engine.

URL path/host attribute

The URL path/host attribute enables users to manage access based on the URL path and/or host of a request. For example, a condition could specify that https://example.com is the main application accessible by a general domain of users, while https://hr.example.com/admin is used to access a page in the application where only Human Resources admins can access this portion.

request.path attribute

Attribute variable request.path
Attribute type String
Supported operators ==, startsWith(), endsWith()
Supported operands/parameters
  • String: ==
  • Constant prefix string: startsWith()
  • Constant suffix string: endsWith()
Discussions Note: The != operator is not recommended for use. Instead of negative comparison, such as, 
request.path != "/admin"
, the recommended usage is prefix match, for instance 
! request.path.startsWith("/admin")
. This way, URL paths parented by "/admin", such as "/admin/payroll/", are all protected against unintended access.
Examples

Example 1: 

request.path == "/admin"
request.path == "/admin/payroll"

The String used in the equality (==) comparison in the two examples above is expected to be formatted according to URL path standards.

Example 2: 

request.path.startsWith("/admin")

A String that represents the prefix of a URL path is used in the function.

Example 3: 

request.path.endsWith("/payroll.js")

A String that represents the suffix of a URL path is used in the function.

Supported resource types

Identity-Aware Proxy app service versions (App Engine)

Available for requests that use Identity-Aware Proxy to access a web application running on App Engine or Compute Engine

request.host attribute

Attribute variable request.host
Attribute type String
Supported operators ==, endsWith()
Supported operands/parameters
  • String: ==
  • Constant suffix string: endsWith()
Discussion The .startsWith(<prefix string>) function is not intended to be used with the request.host attribute. While setting a condition such as request.host.startsWith(<prefix string>) will not result in syntax errors when executing a setIamPolicy operation, it is not recommended due to unexpected results. Similarly != is not recommended for use.
Examples

Example 1: 

request.host == "www.example.com"
request.host == "hr.example.com"

The String used in the equality (==) comparison in the two examples above is expected to be formatted according to URL string standards for the hostname of a website.

Example 2: 

request.host.endsWith("example.com")

A String that represents the suffix of a hostname of a website.

Supported resource types

Identity-Aware Proxy app service versions (App Engine)

Available for requests that use Identity-Aware Proxy to access an app service version.

Extracting values from attributes

You can use the extract() function to extract a value from an attribute. For example, you can extract an arbitrary part of a resource name, then write a condition expression that refers to the text you extracted.

To use the extract() function, you provide an extraction template, which specifies the part of the attribute to extract. For example, if you want to extract a project ID from the resource name of a Compute Engine VM instance, you might use the template projects/{project-id}/.

An extraction template contains the following parts:

  • An identifier, enclosed in curly braces, that identifies the substring to extract. Choose a short, meaningful identifier that makes it clear what value you want to extract. You can use uppercase and lowercase letters from A to Z; numeric digits; dashes (-); and underscores (_).

    In the template projects/{project-id}/, the identifier is project-id.

  • Optional: A prefix, which must appear before the substring to extract.

    In the template projects/{project-id}/, the prefix is projects/.

  • Optional: A suffix, which must appear after the substring to extract.

    In the template projects/{project-id}/, the suffix is /.

The extract() function returns different values depending on whether the extraction template has a prefix, a suffix, or both:

Has prefix Has suffix Extracted value
The entire resource name
The characters after the first occurrence of the prefix, or an empty string if there are no characters after the prefix
The characters before the first occurrence of the suffix, or an empty string if there are no characters before the suffix
The characters between the first occurrence of the prefix and the first subsequent occurrence of the suffix, or an empty string if there are no characters between the prefix and the suffix

If you specify a prefix or suffix that do not appear in the attribute, or if the suffix appears only before the prefix, the extract() function returns null.

The following examples show the output from several different extraction templates. These examples refer to a resource name for a Cloud Storage object, projects/_/buckets/acme-orders-aaa/data_lake/orders/order_date=2019-11-03/aef87g87ae0876:

Extraction template Output
/order_date={date}/ 2019-11-03
buckets/{name}/ acme-orders-aaa
/orders/{empty}order_date Empty string
{start}/data_lake projects/_/buckets/acme-orders-aaa
orders/{end} order_date=2019-11-03/aef87g87ae0876
{all} projects/_/buckets/acme-orders-aaa/data_lake/orders/order_date=2019-11-03/aef87g87ae0876
/orders/{none}/order_date= null
/orders/order_date=2019-11-03/{id}/data_lake null

If you extract a string that represents a date, you can use the date/time functions and operators on this page to convert the extracted value to a Timestamp. For examples, see Configuring resource-based access.