Resource attributes for IAM Conditions

This topic contains a list of values that can be used for resource attributes in a condition, including string values for resource service, resource type, and the format for resource name strings.

You can use resource attributes to change the scope of the grant provided by a role binding. When a role contains permissions that apply to different kinds of resources, a condition can grant a subset of the role's permissions based on the resource service, resource type, and resource name.

Resource attributes are available for the Google Cloud services and resource types that are listed on this page. Other services and resource types do not support resource attributes.

For more information about Identity and Access Management (IAM) Conditions, see the following topics:

Resource service values

The following table lists supported string values for the resource service attribute.

Resource service value REST reference
bigtableadmin.googleapis.com API reference
cloudkms.googleapis.com API reference
cloudresourcemanager.googleapis.com API reference
compute.googleapis.com API reference
iap.googleapis.com API reference
pubsublite.googleapis.com API reference
secretmanager.googleapis.com API reference
spanner.googleapis.com API reference
storage.googleapis.com API reference

Resource type values

The following table lists supported string values for the resource type attribute.

Resource type value Reference
bigtableadmin.googleapis.com/Cluster1 Read more
bigtableadmin.googleapis.com/Instance1 Read more
bigtableadmin.googleapis.com/Table1 Read more
cloud.googleapis.com/Location1 Read more
cloudkms.googleapis.com/CryptoKey Read more
cloudkms.googleapis.com/CryptoKeyVersion Read more
cloudkms.googleapis.com/KeyRing Read more
cloudresourcemanager.googleapis.com/Project Read more
compute.googleapis.com/BackendService Read more
compute.googleapis.com/Disk Read more
compute.googleapis.com/Firewall Read more
compute.googleapis.com/ForwardingRule Read more
compute.googleapis.com/GlobalForwardingRule Read more
compute.googleapis.com/Image Read more
compute.googleapis.com/Instance Read more
compute.googleapis.com/InstanceTemplate Read more
compute.googleapis.com/Snapshot Read more
compute.googleapis.com/TargetHttpProxy Read more
compute.googleapis.com/TargetHttpsProxy Read more
compute.googleapis.com/TargetSslProxy Read more
compute.googleapis.com/TargetTcpProxy Read more
iap.googleapis.com/Tunnel Read more
iap.googleapis.com/TunnelInstance Read more
iap.googleapis.com/TunnelZone Read more
iap.googleapis.com/Web Read more
iap.googleapis.com/WebService Read more
iap.googleapis.com/WebServiceVersion Read more
iap.googleapis.com/WebType Read more
pubsublite.googleapis.com/Location Read more
pubsublite.googleapis.com/Subscription Read more
pubsublite.googleapis.com/Topic Read more
secretmanager.googleapis.com/Secret Read more
secretmanager.googleapis.com/SecretVersion Read more
spanner.googleapis.com/Database Read more
spanner.googleapis.com/Instance Read more
storage.googleapis.com/Bucket Read more
storage.googleapis.com/Object Read more

1 Cloud Key Management Service uses this resource type as the parent of key ring resources.

Resource name format

The following table lists the supported format for resource name attributes.

Resource reference Resource name format template
Bigtable clusters projects/project-number/instances/instance-id/clusters/cluster-id
Bigtable instances projects/project-number/instances/instance-id
Bigtable tables projects/project-number/instances/instance-id/tables/table-id
Cloud KMS crypto keys projects/project-number/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id
Cloud KMS crypto key versions projects/project-number/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id/cryptoKeyVersions/cryptokeyversion-id
Cloud KMS key rings projects/project-number/locations/location-id/keyRings/keyring-id
Cloud Storage buckets1 projects/_/buckets/bucket-name
Cloud Storage objects1 projects/_/buckets/bucket-name/objects/object-name
Compute Engine global backend services projects/project-id/global/backendServices/backend-service-id
Compute Engine regional backend services projects/project-id/regions/region-id/backendServices/backend-service-id
Compute Engine firewalls projects/project-id/global/firewalls/firewall-id
Compute Engine global forwarding rules projects/project-id/global/forwardingRules/forwarding-rule-id
Compute Engine regional forwarding rules projects/project-id/regions/region-id/forwardingRules/forwarding-rule-id
Compute Engine images projects/project-id/global/images/image-id
Compute Engine instance templates projects/project-id/global/instanceTemplates/instance-template-id
Compute Engine instances projects/project-id/zones/zone-id/instances/instance-id
Compute Engine regional persistent disks projects/project-id/regions/region-id/disks/disk-id
Compute Engine zonal persistent disks projects/project-id/zones/zone-id/disks/disk-id
Compute Engine snapshots projects/project-id/global/snapshots/snapshot-id
Compute Engine global target HTTP proxies projects/project-id/global/targetHttpProxies/target-http-proxy-id
Compute Engine regional target HTTP proxies projects/project-id/regions/region-id/targetHttpProxies/target-http-proxy-id
Compute Engine global target HTTPS proxies projects/project-id/global/targetHttpsProxies/target-https-proxy-id
Compute Engine regional target HTTPS proxies projects/project-id/regions/region-id/targetHttpsProxies/target-https-proxy-id
Compute Engine target SSL proxies projects/project-id/global/targetSslProxies/target-ssl-proxy-id
Compute Engine target TCP proxies projects/project-id/global/targetTcpProxies/target-tcp-proxy-id
Pub/Sub Lite locations projects/project-number/locations/location
Pub/Sub Lite subscriptions projects/project-number/locations/location/subscriptions/subscription-id
Pub/Sub Lite topics projects/project-number/locations/location/topics/topic-id
Secret Manager secrets projects/project-number/secrets/secret-id
Secret Manager secret versions2 projects/project-number/secrets/secret-id/versions/secret-version
Spanner databases projects/project-number/instances/instance-id/databases/database-id
Spanner instances projects/project-number/instances/instance-id

1 For Cloud Storage, resource names contain an underscore (_) rather than a project ID. You cannot replace the underscore with a project ID, project name, or project number.

2 If a condition evaluates the resource name for a secret version, the secret version in the request must exactly match the secret version in the condition for the condition to be satisfied. For example, if the version in the condition is latest, only a request with the version latest satisfies the condition; a request with the version 3 does not satisfy the condition, even if 3 is the latest version.

Resource tags

You can attach tags to organizations, projects, and folders. Any Google Cloud resource can inherit tags from these higher-level resources.

You can use a few different types of identifiers to refer to tag keys and values:

  • A permanent ID, which is globally unique and can never be reused. For example, a tag key could have the permanent ID tagKeys/123456789012, and a tag value could have the permanent ID tagValues/567890123456.
  • A short name. The short name for each key must be unique within your organization, and the short name for each value must be unique for its associated key. For example, a tag key could have the short name env, and a tag value could have the short name prod.
  • A namespaced name, which adds your organization's numeric ID to the short name of a tag key. For example, a tag key could have the namespaced name 123456789012/env. Learn how to get your organization ID.

The specific identifiers depend on the tag keys and values that you have created for your organization. To learn how to list the tag keys and values that are available to you, see Listing TagKeys and TagValues.