Resource attributes for IAM Conditions

This topic contains a list of values that can be used for resource attributes in a condition, including string values for resource service, resource type, and the format for resource name strings.

You can use resource attributes to change the scope of the grant provided by a role binding. When a role contains permissions that apply to different kinds of resources, a condition can grant a subset of the role's permissions based on the resource service, resource type, and resource name.

Resource attributes are available for the Google Cloud services and resource types that are listed on this page. Other services and resource types do not recognize resource attributes.

For more information about Identity and Access Management (IAM) Conditions, see the following:

Resource service values

The following table lists the values that the resource service attribute can contain.

Resource service value REST reference API reference API reference API reference API reference API reference API reference API reference API reference API reference API reference API reference API reference API reference API reference API reference

Resource type values

The following table lists the values that the resource type attribute can contain.

Resource type value Reference Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more Read more

1 Cloud Key Management Service uses this resource type as the parent of key ring resources.

2 Apigee uses this resource type as the parent of any resource that belongs to an Apigee organization.

Resource name format

The following table lists the format of each type of resource name attribute.

Resource reference Resource name format template
Apigee API product attributes organizations/organization-name/apiproducts/product-id/attributes/attribute-id
Apigee API products organizations/organization-name/apiproducts/product-id
Apigee API proxies organizations/organization-name/apis/proxy-id
Apigee API proxy key-value map entries organizations/organization-name/api/proxy-id/keyvaluemaps/keyvaluemap-id/entries/entry-id
Apigee API proxy key-value maps organizations/organization-name/apis/proxy-id/keyvaluemaps/key-value-map-id
Apigee API proxy revisions organizations/organization-name/apis/proxy-id/revisions/revision-id
Apigee caches organizations/organization-name/environments/environment-id/caches/cache-id
Apigee developer app attributes organizations/organization-name/developers/developer-id/apps/app-id/attributes/attribute-id
Apigee developer apps organizations/organization-name/developers/developer-id/apps/app-id
Apigee developer attributes organizations/organization-name/developers/developer-id/attributes/attribute-id
Apigee developers organizations/organization-name/developers/developer-id
Apigee environment key-value map entries organizations/organization-name/environments/environment-id/keyvaluemaps/keyvaluemap-id/entries/entry-id
Apigee environment key-value maps organizations/organization-name/environments/environment/keyvaluemaps/key-value-map-id
Apigee exports organizations/organization-name/environments/environment-id/analytics/exports/export-id
Apigee flow hooks organizations/organization-name/environments/environment-id/flowhooks/flowhook-id
Apigee keystore aliases organizations/organization-name/environments/environment-id/keystores/keystore-id/aliases/alias-id
Apigee keystores organizations/organization-name/environments/environment-id/keystores/keystore-id
Apigee queries organizations/organization-name/environments/environment-id/queries/query-id
Apigee rate plans organizations/organization-name/apiproducts/product-id/rateplans/rate-plan-id
Apigee references organizations/organization-name/environments/environment-id/references/reference-id
Apigee shared flow revisions organizations/organization-name/sharedflows/shared-flow-id/revisions/revision-id
Apigee shared flows organizations/organization-name/sharedflows/shared-flow-id
Apigee target servers organizations/organization-name/environments/environment-id/targetservers/targetserver-id
Apigee trace (debug) sessions organizations/organization-name/environments/environment-id/apis/proxy-id/revisions/revision-id/debugsessions/session-id
Binary Authorization attestors projects/project-number/attestors/attestor-id
Binary Authorization continuous validation configs projects/project-number/continuousValidationConfig
Binary Authorization policies projects/project-number/policy
Cloud Bigtable clusters projects/project-number/instances/instance-id/clusters/cluster-id
Cloud Bigtable instances projects/project-number/instances/instance-id
Cloud Bigtable tables projects/project-number/instances/instance-id/tables/table-id
Firestore databases projects/project-id/databases/database-id
Cloud Key Management Service crypto keys projects/project-id/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id
Cloud Key Management Service crypto key versions projects/project-id/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id/cryptoKeyVersions/cryptokeyversion-id
Cloud Key Management Service key rings projects/project-id/locations/location-id/keyRings/keyring-id
Cloud Logging log buckets projects/project-id/locations/location-id/buckets/bucket-id
Cloud Logging log views projects/project-id/locations/location-id/buckets/bucket-id/views/view-id
Cloud Spanner backups projects/project-id/instances/instance-id/backups/backup-id
Cloud Spanner databases projects/project-id/instances/instance-id/databases/database-id
Cloud Spanner instances projects/project-id/instances/instance-id
Cloud SQL backup runs projects/project-id/instances/instance-id/backupRuns/backup-id
Cloud SQL instances projects/project-id/instances/instance-id
Cloud Storage buckets1 projects/_/buckets/bucket-name
Cloud Storage objects1, 2 projects/_/buckets/bucket-name/objects/object-name
Compute Engine global backend services projects/project-id/global/backendServices/backend-service-id
Compute Engine regional backend services projects/project-id/regions/region-id/backendServices/backend-service-id
Compute Engine firewalls projects/project-id/global/firewalls/firewall-id
Compute Engine global forwarding rules projects/project-id/global/forwardingRules/forwarding-rule-id
Compute Engine regional forwarding rules projects/project-id/regions/region-id/forwardingRules/forwarding-rule-id
Compute Engine images projects/project-id/global/images/image-id
Compute Engine instance templates projects/project-id/global/instanceTemplates/instance-template-id
Compute Engine instances projects/project-id/zones/zone-id/instances/instance-id
Compute Engine regional persistent disks projects/project-id/regions/region-id/disks/disk-id
Compute Engine zonal persistent disks projects/project-id/zones/zone-id/disks/disk-id
Compute Engine snapshots projects/project-id/global/snapshots/snapshot-id
Compute Engine global target HTTP proxies projects/project-id/global/targetHttpProxies/target-http-proxy-id
Compute Engine regional target HTTP proxies projects/project-id/regions/region-id/targetHttpProxies/target-http-proxy-id
Compute Engine global target HTTPS proxies projects/project-id/global/targetHttpsProxies/target-https-proxy-id
Compute Engine regional target HTTPS proxies projects/project-id/regions/region-id/targetHttpsProxies/target-https-proxy-id
Compute Engine target SSL proxies projects/project-id/global/targetSslProxies/target-ssl-proxy-id
Compute Engine target TCP proxies projects/project-id/global/targetTcpProxies/target-tcp-proxy-id
Dataform compilation results projects/project-id/locations/location/repositories/repository/compilationResults/compilation-result
Dataform locations projects/project-id/locations/location
Dataform release configs projects/project-id/locations/location/repositories/repository/releaseConfigs/release-config
Dataform repositories projects/project-id/locations/location/repositories/repository
Dataform workflow configs projects/project-id/locations/location/repositories/repository/workflowConfigs/workflow-config
Dataform workflow invocations projects/project-id/locations/location/repositories/repository/workflowInvocations/workflow-invocation
Dataform workspaces projects/project-id/locations/location/repositories/repository/workspaces/workspace
Pub/Sub Lite locations projects/project-number/locations/location
Pub/Sub Lite subscriptions projects/project-number/locations/location/subscriptions/subscription-id
Pub/Sub Lite topics projects/project-number/locations/location/topics/topic-id
Resource Manager organizations3 organizations/organization-name
Secret Manager secrets projects/project-number/secrets/secret-id
Secret Manager secret versions4 projects/project-number/secrets/secret-id/versions/secret-version

1 For Cloud Storage, resource names contain an underscore (_) rather than a project ID. You cannot replace the underscore with a project ID, project name, or project number.

2 Use the entire object name, including forward slashes. In Cloud Storage, these characters are part of the object name, not path separators.

3 Apigee uses this format when you list any type of resource that belongs to an Apigee organization.

4 If a condition evaluates the resource name for a secret version, the secret version in the request must exactly match the secret version in the condition for the condition to be satisfied. For example, if the version in the condition is latest, only a request with the version latest satisfies the condition; a request with the version 3 does not satisfy the condition, even if 3 is the latest version.

Resource tags

You can attach tags to organizations, projects, and folders. Any Google Cloud resource can inherit tags from these higher-level resources.

You can use a few different types of identifiers to refer to tag keys and values:

  • A permanent ID, which is globally unique and can never be reused. For example, a tag key could have the permanent ID tagKeys/123456789012, and a tag value could have the permanent ID tagValues/567890123456.
  • A short name. The short name for each key must be unique within your organization, and the short name for each value must be unique for its associated key. For example, a tag key could have the short name env, and a tag value could have the short name prod.
  • A namespaced name, which adds your organization's numeric ID to the short name of a tag key. For example, a tag key could have the namespaced name 123456789012/env. Learn how to get your organization ID.

The specific identifiers depend on the tag keys and values that you have created for your organization. To learn how to list the tag keys and values that are available to you, see Listing tag keys and Listing tag values.