Resource attributes for Cloud IAM Conditions

This topic contains a list of values that can be used for resource attributes in a condition, including string values for resource service, resource type, and the format for resource name strings.

You can use resource attributes to change the scope of the grant provided by a role binding. When a role contains permissions that apply to different kinds of resources, a condition can grant a subset of the role's permissions based on the resource service, resource type, and resource name.

For more information about Cloud Identity and Access Management (Cloud IAM) Conditions, see the following topics:

Resource service values

The following table lists supported string values for the resource service attribute.

Resource service value REST reference
cloudkms.googleapis.com API reference
cloudresourcemanager.googleapis.com API reference
compute.googleapis.com API reference
iap.googleapis.com API reference
spanner.googleapis.com API reference
storage.googleapis.com API reference

Resource type values

The following table lists supported string values for the resource type attribute.

Resource type value Reference
cloud.googleapis.com/Location1 Read more
cloudkms.googleapis.com/CryptoKey Read more
cloudkms.googleapis.com/CryptoKeyVersion Read more
cloudkms.googleapis.com/KeyRing Read more
cloudresourcemanager.googleapis.com/Project Read more
compute.googleapis.com/BackendService Read more
compute.googleapis.com/Disk Read more
compute.googleapis.com/Firewall Read more
compute.googleapis.com/ForwardingRule Read more
compute.googleapis.com/GlobalForwardingRule Read more
compute.googleapis.com/Image Read more
compute.googleapis.com/Instance Read more
compute.googleapis.com/InstanceTemplate Read more
compute.googleapis.com/Snapshot Read more
compute.googleapis.com/TargetHttpProxy Read more
compute.googleapis.com/TargetHttpsProxy Read more
compute.googleapis.com/TargetSslProxy Read more
compute.googleapis.com/TargetTcpProxy Read more
iap.googleapis.com/Tunnel Read more
iap.googleapis.com/TunnelInstance Read more
iap.googleapis.com/TunnelZone Read more
iap.googleapis.com/Web Read more
iap.googleapis.com/WebService Read more
iap.googleapis.com/WebServiceVersion Read more
iap.googleapis.com/WebType Read more
spanner.googleapis.com/Database Read more
spanner.googleapis.com/Instance Read more
storage.googleapis.com/Bucket Read more
storage.googleapis.com/Object Read more

1 Cloud Key Management Service uses this resource type as the parent of key ring resources.

Resource name format

The following table lists the supported format for resource name attributes.

Resource reference Resource name format template
Spanner databases projects/project-number/instances/instance-id/databases/database-id
Spanner instances projects/project-number/instances/instance-id
Cloud Storage buckets1 projects/_/buckets/bucket-name
Cloud Storage objects1 projects/_/buckets/bucket-name/objects/object-name
Compute Engine global backend services projects/project-id/global/backendServices/backend-service-id
Compute Engine regional backend services projects/project-id/regions/region-id/backendServices/backend-service-id
Compute Engine firewalls projects/project-id/global/firewalls/firewall-id
Compute Engine global forwarding rules projects/project-id/global/forwardingRules/forwarding-rule-id
Compute Engine regional forwarding rules projects/project-id/regions/region-id/forwardingRules/forwarding-rule-id
Compute Engine images projects/project-id/global/images/image-id
Compute Engine instance templates projects/project-id/global/instanceTemplates/instance-template-id
Compute Engine instances projects/project-id/zones/zone-id/instances/instance-id
Compute Engine regional persistent disks projects/project-id/regions/region-id/disks/disk-id
Compute Engine zonal persistent disks projects/project-id/zones/zone-id/disks/disk-id
Compute Engine snapshots projects/project-id/global/snapshots/snapshot-id
Compute Engine global target HTTP proxies projects/project-id/global/targetHttpProxies/target-http-proxy-id
Compute Engine regional target HTTP proxies projects/project-id/regions/region-id/targetHttpProxies/target-http-proxy-id
Compute Engine global target HTTPS proxies projects/project-id/global/targetHttpsProxies/target-https-proxy-id
Compute Engine regional target HTTPS proxies projects/project-id/regions/region-id/targetHttpsProxies/target-https-proxy-id
Compute Engine target SSL proxies projects/project-id/global/targetSslProxies/target-ssl-proxy-id
Compute Engine target TCP proxies projects/project-id/global/targetTcpProxies/target-tcp-proxy-id
Cloud KMS crypto keys projects/project-number/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id
Cloud KMS crypto key versions projects/project-number/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id/cryptoKeyVersions/cryptokeyversion-id
Cloud KMS key rings projects/project-number/locations/location-id/keyRings/keyring-id

1 For Cloud Storage, resource names contain an underscore (_) rather than a project ID. You cannot replace the underscore with a project ID, project name, or project number.