Resource attributes for IAM Conditions

This topic contains a list of values that can be used for resource attributes in a condition, including string values for resource service, resource type, and the format for resource name strings.

You can use resource attributes to change the scope of the grant provided by a role binding. When a role contains permissions that apply to different kinds of resources, a condition can grant a subset of the role's permissions based on the resource service, resource type, and resource name.

Resource attributes are available for the Google Cloud services and resource types that are listed on this page. Other services and resource types do not support resource attributes.

For more information about Identity and Access Management (IAM) Conditions, see the following topics:

Resource service values

The following table lists supported string values for the resource service attribute.

Resource service value REST reference
cloudkms.googleapis.com API reference
cloudresourcemanager.googleapis.com API reference
compute.googleapis.com API reference
iap.googleapis.com API reference
pubsublite.googleapis.com API reference
secretmanager.googleapis.com API reference
spanner.googleapis.com API reference
storage.googleapis.com API reference

Resource type values

The following table lists supported string values for the resource type attribute.

Resource type value Reference
cloud.googleapis.com/Location1 Read more
cloudkms.googleapis.com/CryptoKey Read more
cloudkms.googleapis.com/CryptoKeyVersion Read more
cloudkms.googleapis.com/KeyRing Read more
cloudresourcemanager.googleapis.com/Project Read more
compute.googleapis.com/BackendService Read more
compute.googleapis.com/Disk Read more
compute.googleapis.com/Firewall Read more
compute.googleapis.com/ForwardingRule Read more
compute.googleapis.com/GlobalForwardingRule Read more
compute.googleapis.com/Image Read more
compute.googleapis.com/Instance Read more
compute.googleapis.com/InstanceTemplate Read more
compute.googleapis.com/Snapshot Read more
compute.googleapis.com/TargetHttpProxy Read more
compute.googleapis.com/TargetHttpsProxy Read more
compute.googleapis.com/TargetSslProxy Read more
compute.googleapis.com/TargetTcpProxy Read more
iap.googleapis.com/Tunnel Read more
iap.googleapis.com/TunnelInstance Read more
iap.googleapis.com/TunnelZone Read more
iap.googleapis.com/Web Read more
iap.googleapis.com/WebService Read more
iap.googleapis.com/WebServiceVersion Read more
iap.googleapis.com/WebType Read more
pubsublite.googleapis.com/Location Read more
pubsublite.googleapis.com/Subscription Read more
pubsublite.googleapis.com/Topic Read more
secretmanager.googleapis.com/Secret Read more
secretmanager.googleapis.com/SecretVersion Read more
spanner.googleapis.com/Database Read more
spanner.googleapis.com/Instance Read more
storage.googleapis.com/Bucket Read more
storage.googleapis.com/Object Read more

1 Cloud Key Management Service uses this resource type as the parent of key ring resources.

Resource name format

The following table lists the supported format for resource name attributes.

Resource reference Resource name format template
Cloud KMS crypto keys projects/project-number/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id
Cloud KMS crypto key versions projects/project-number/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id/cryptoKeyVersions/cryptokeyversion-id
Cloud KMS key rings projects/project-number/locations/location-id/keyRings/keyring-id
Cloud Storage buckets1 projects/_/buckets/bucket-name
Cloud Storage objects1 projects/_/buckets/bucket-name/objects/object-name
Compute Engine global backend services projects/project-id/global/backendServices/backend-service-id
Compute Engine regional backend services projects/project-id/regions/region-id/backendServices/backend-service-id
Compute Engine firewalls projects/project-id/global/firewalls/firewall-id
Compute Engine global forwarding rules projects/project-id/global/forwardingRules/forwarding-rule-id
Compute Engine regional forwarding rules projects/project-id/regions/region-id/forwardingRules/forwarding-rule-id
Compute Engine images projects/project-id/global/images/image-id
Compute Engine instance templates projects/project-id/global/instanceTemplates/instance-template-id
Compute Engine instances projects/project-id/zones/zone-id/instances/instance-id
Compute Engine regional persistent disks projects/project-id/regions/region-id/disks/disk-id
Compute Engine zonal persistent disks projects/project-id/zones/zone-id/disks/disk-id
Compute Engine snapshots projects/project-id/global/snapshots/snapshot-id
Compute Engine global target HTTP proxies projects/project-id/global/targetHttpProxies/target-http-proxy-id
Compute Engine regional target HTTP proxies projects/project-id/regions/region-id/targetHttpProxies/target-http-proxy-id
Compute Engine global target HTTPS proxies projects/project-id/global/targetHttpsProxies/target-https-proxy-id
Compute Engine regional target HTTPS proxies projects/project-id/regions/region-id/targetHttpsProxies/target-https-proxy-id
Compute Engine target SSL proxies projects/project-id/global/targetSslProxies/target-ssl-proxy-id
Compute Engine target TCP proxies projects/project-id/global/targetTcpProxies/target-tcp-proxy-id
Pub/Sub Lite locations projects/project-number/locations/location
Pub/Sub Lite subscriptions projects/project-number/locations/location/subscriptions/subscription-id
Pub/Sub Lite topics projects/project-number/locations/location/topics/topic-id
Secret Manager secrets projects/project-number/secrets/secret-id
Secret Manager secret versions2 projects/project-number/secrets/secret-id/versions/secret-version
Spanner databases projects/project-number/instances/instance-id/databases/database-id
Spanner instances projects/project-number/instances/instance-id

1 For Cloud Storage, resource names contain an underscore (_) rather than a project ID. You cannot replace the underscore with a project ID, project name, or project number.

2 If a condition evaluates the resource name for a secret version, the secret version in the request must exactly match the secret version in the condition for the condition to be satisfied. For example, if the version in the condition is latest, only a request with the version latest satisfies the condition; a request with the version 3 does not satisfy the condition, even if 3 is the latest version.