适用于 IAM Conditions 的资源特性

本主题包含可用于条件中资源特性的值列表,其中包括用于资源服务、资源类型和资源名称字符串格式的字符串值。

您可以使用资源特性来更改角色绑定提供的授权范围。如果角色包含适用于不同类型资源的权限,则条件可根据资源服务、资源类型和资源名称授予角色的一部分权限。

资源特性可用于本页面上列出的 Google Cloud 服务和资源类型。其他服务和资源类型不识别资源特性。

如需详细了解 Identity and Access Management (IAM) Conditions,请参阅以下内容:

资源服务值

下表列出了资源服务特性可以包含的值。

资源服务值 REST 参考文档
apigee.googleapis.com API 参考文档
bigquery.googleapis.com API 参考文档
bigtableadmin.googleapis.com API 参考文档
binaryauthorization.googleapis.com API 参考文档
cloudkms.googleapis.com API 参考文档
cloudresourcemanager.googleapis.com API 参考文档
compute.googleapis.com API 参考文档
container.googleapis.com API 参考文档
connectors.googleapis.com API 参考文档
firestore.googleapis.com API 参考文档
dataform.googleapis.com API 参考文档
iap.googleapis.com API 参考文档
integrations.googleapis.com API 参考文档
logging.googleapis.com API 参考文档
pubsublite.googleapis.com API 参考文档
secretmanager.googleapis.com API 参考文档
spanner.googleapis.com API 参考文档
sqladmin.googleapis.com API 参考文档
storage.googleapis.com API 参考文档

资源类型值

下表列出了资源类型特性可以包含的值。

资源类型值 参考
apigee.googleapis.com/ApiProduct 了解详情
apigee.googleapis.com/ApiProductAttribute 了解详情
apigee.googleapis.com/Cache 了解详情
apigee.googleapis.com/Developer 了解详情
apigee.googleapis.com/DeveloperApp 了解详情
apigee.googleapis.com/DeveloperAppAttribute 了解详情
apigee.googleapis.com/DeveloperAttribute 了解详情
apigee.googleapis.com/Export 了解详情
apigee.googleapis.com/FlowHook 了解详情
apigee.googleapis.com/KeyStore 了解详情
apigee.googleapis.com/KeyStoreAlias 了解详情
apigee.googleapis.com/KeyValueEntry 了解详情
apigee.googleapis.com/KeyValueMap 了解详情
apigee.googleapis.com/Proxy 了解详情
apigee.googleapis.com/ProxyRevision 了解详情
apigee.googleapis.com/Query 了解详情
apigee.googleapis.com/RatePlan 了解详情
apigee.googleapis.com/Reference 了解详情
apigee.googleapis.com/SharedFlow 了解详情
apigee.googleapis.com/SharedFlowRevision 了解详情
apigee.googleapis.com/TargetServer 了解详情
apigee.googleapis.com/TraceSession 了解详情
bigquery.googleapis.com/Dataset 了解详情
bigquery.googleapis.com/Model 了解详情
bigquery.googleapis.com/Routine 了解详情
bigquery.googleapis.com/Table 了解详情
bigtableadmin.googleapis.com/Cluster 了解详情
bigtableadmin.googleapis.com/Instance 了解详情
bigtableadmin.googleapis.com/Table 了解详情
binaryauthorization.googleapis.com/Attestor 了解详情
binaryauthorization.googleapis.com/ContinuousValidationConfig 了解详情
binaryauthorization.googleapis.com/Policy 了解详情
cloud.googleapis.com/Location1 了解详情
cloudkms.googleapis.com/CryptoKey 了解详情
cloudkms.googleapis.com/CryptoKeyVersion 了解详情
cloudkms.googleapis.com/KeyRing 了解详情
cloudresourcemanager.googleapis.com/Project2 了解详情
compute.googleapis.com/BackendService 了解详情
compute.googleapis.com/Disk 了解详情
compute.googleapis.com/Firewall 了解详情
compute.googleapis.com/ForwardingRule 了解详情
compute.googleapis.com/GlobalForwardingRule 了解详情
compute.googleapis.com/Image 了解详情
compute.googleapis.com/Instance 了解详情
compute.googleapis.com/InstanceTemplate 了解详情
compute.googleapis.com/Snapshot 了解详情
compute.googleapis.com/TargetHttpProxy 了解详情
compute.googleapis.com/TargetHttpsProxy 了解详情
compute.googleapis.com/TargetSslProxy 了解详情
compute.googleapis.com/TargetTcpProxy 了解详情
connectors.googleapis.com/Connection 了解详情
connectors.googleapis.com/ConnectionSchemaMetadata 了解详情
connectors.googleapis.com/EndpointAttachment 了解详情
connectors.googleapis.com/EventSubscription 了解详情
connectors.googleapis.com/ManagedZone 了解详情
container.googleapis.com/Clusters 了解详情
dataform.googleapis.com/CompilationResult 了解详情
dataform.googleapis.com/Location 了解详情
dataform.googleapis.com/ReleaseConfig 了解详情
dataform.googleapis.com/Repository 了解详情
dataform.googleapis.com/WorkflowConfig 了解详情
dataform.googleapis.com/WorkflowInvocation 了解详情
dataform.googleapis.com/Workspace 了解详情
firestore.googleapis.com/Database 了解详情
iap.googleapis.com/Tunnel 了解详情
iap.googleapis.com/TunnelInstance 了解详情
iap.googleapis.com/TunnelZone 了解详情
iap.googleapis.com/Web 了解详情
iap.googleapis.com/WebService 了解详情
iap.googleapis.com/WebServiceVersion 了解详情
iap.googleapis.com/WebType 了解详情
integrations.googleapis.com/AuthConfig 了解详情
integrations.googleapis.com/Execution 了解详情
integrations.googleapis.com/Integration 了解详情
integrations.googleapis.com/IntegrationVersion 了解详情
integrations.googleapis.com/Location 不适用
integrations.googleapis.com/Suspension 了解详情
logging.googleapis.com/LogBucket 了解详情
logging.googleapis.com/LogView 了解详情
pubsublite.googleapis.com/Location 了解详情
pubsublite.googleapis.com/Subscription 了解详情
pubsublite.googleapis.com/Topic 了解详情
secretmanager.googleapis.com/Secret 了解详情
secretmanager.googleapis.com/SecretVersion 了解详情
spanner.googleapis.com/Backup 了解详情
spanner.googleapis.com/Database 了解详情
spanner.googleapis.com/Instance 了解详情
sqladmin.googleapis.com/BackupRun 了解详情
sqladmin.googleapis.com/Instance 了解详情
storage.googleapis.com/Bucket 了解详情
storage.googleapis.com/ManagedFolder 了解详情
storage.googleapis.com/Object 了解详情

1 Cloud Key Management Service 将此资源类型用作密钥环资源的父级。

2 Apigee 会将此资源类型用作属于 Apigee 组织的任何资源的父级。

资源名称格式

下表列出了每种资源名称特性的格式。

资源参考文档 资源名称格式模板
Apigee API 产品属性 organizations/organization-name/apiproducts/product-id/attributes/attribute-id
Apigee API 产品 organizations/organization-name/apiproducts/product-id
Apigee API 代理 organizations/organization-name/apis/proxy-id
Apigee API 代理键值对映射条目 organizations/organization-name/api/proxy-id/keyvaluemaps/keyvaluemap-id/entries/entry-id
Apigee API 代理键值对映射 organizations/organization-name/apis/proxy-id/keyvaluemaps/key-value-map-id
Apigee API 代理修订版本 organizations/organization-name/apis/proxy-id/revisions/revision-id
Apigee 缓存 organizations/organization-name/environments/environment-id/caches/cache-id
Apigee 开发者应用属性 organizations/organization-name/developers/developer-id/apps/app-id/attributes/attribute-id
Apigee 开发者应用 organizations/organization-name/developers/developer-id/apps/app-id
Apigee 开发者属性 organizations/organization-name/developers/developer-id/attributes/attribute-id
Apigee 开发者 organizations/organization-name/developers/developer-id
Apigee 环境键值对映射条目 organizations/organization-name/environments/environment-id/keyvaluemaps/keyvaluemap-id/entries/entry-id
Apigee 环境键值对映射 organizations/organization-name/environments/environment/keyvaluemaps/key-value-map-id
Apigee 导出 organizations/organization-name/environments/environment-id/analytics/exports/export-id
Apigee 流钩子 organizations/organization-name/environments/environment-id/flowhooks/flowhook-id
Apigee 密钥库别名 organizations/organization-name/environments/environment-id/keystores/keystore-id/aliases/alias-id
Apigee 密钥库 organizations/organization-name/environments/environment-id/keystores/keystore-id
Apigee 查询 organizations/organization-name/environments/environment-id/queries/query-id
Apigee 费率方案 organizations/organization-name/apiproducts/product-id/rateplans/rate-plan-id
Apigee 参考文档 organizations/organization-name/environments/environment-id/references/reference-id
Apigee 共享流修订版本 organizations/organization-name/sharedflows/shared-flow-id/revisions/revision-id
Apigee 共享流 organizations/organization-name/sharedflows/shared-flow-id
Apigee 目标服务器 organizations/organization-name/environments/environment-id/targetservers/targetserver-id
Apigee 跟踪(调试)会话 organizations/organization-name/environments/environment-id/apis/proxy-id/revisions/revision-id/debugsessions/session-id
BigQuery 数据集 projects/project-id/datasets/dataset-id
BigQuery 模型 projects/project-id/datasets/dataset-id/models/model-id
BigQuery 例程 projects/project-id/datasets/dataset-id/routines/routine-id
BigQuery projects/project-id/datasets/dataset-id/tables/table-id
Binary Authorization 证明者 projects/project-number/attestors/attestor-id
Binary Authorization 持续验证配置 projects/project-number/continuousValidationConfig
Binary Authorization 政策 projects/project-number/policy
Bigtable 集群 projects/project-number/instances/instance-id/clusters/cluster-id
Bigtable 实例 projects/project-number/instances/instance-id
Bigtable projects/project-number/instances/instance-id/tables/table-id
Firestore 数据库 projects/project-id/databases/database-id
Cloud Key Management Service 加密密钥 projects/project-id/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id
Cloud Key Management Service 加密密钥版本 projects/project-id/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id/cryptoKeyVersions/cryptokeyversion-id
Cloud Key Management Service 密钥环 projects/project-id/locations/location-id/keyRings/keyring-id
Cloud Logging 日志存储桶 projects/project-id/locations/location-id/buckets/bucket-id
Cloud Logging 日志视图 projects/project-id/locations/location-id/buckets/bucket-id/views/view-id
Spanner 备份 projects/project-id/instances/instance-id/backups/backup-id
Spanner 数据库 projects/project-id/instances/instance-id/databases/database-id
Spanner 实例 projects/project-id/instances/instance-id
Cloud SQL 备份作业 projects/project-id/instances/instance-id/backupRuns/backup-id
Cloud SQL 实例 projects/project-id/instances/instance-id
Cloud Storage 存储分区1 projects/_/buckets/bucket-name
Cloud Storage 托管式文件夹1、2 projects/_/buckets/bucket-name/managedFolders/managed-folder-name
Cloud Storage 对象1、3 projects/_/buckets/bucket-name/objects/object-name
Compute Engine 全局后端服务 projects/project-id/global/backendServices/backend-service-id
Compute Engine 地区后端服务 projects/project-id/regions/region-id/backendServices/backend-service-id
Compute Engine 防火墙 projects/project-id/global/firewalls/firewall-id
Compute Engine 全局转发规则 projects/project-id/global/forwardingRules/forwarding-rule-id
Compute Engine 地区转发规则 projects/project-id/regions/region-id/forwardingRules/forwarding-rule-id
Compute Engine 映像 projects/project-id/global/images/image-id
Compute Engine 实例模板 projects/project-id/global/instanceTemplates/instance-template-id
Compute Engine 实例 projects/project-id/zones/zone-id/instances/instance-id
Compute Engine 地区永久性磁盘 projects/project-id/regions/region-id/disks/disk-id
Compute Engine 区域永久性磁盘 projects/project-id/zones/zone-id/disks/disk-id
Compute Engine 快照 projects/project-id/global/snapshots/snapshot-id
Compute Engine 全局目标 HTTP 代理 projects/project-id/global/targetHttpProxies/target-http-proxy-id
Compute Engine 地区目标 HTTP 代理 projects/project-id/regions/region-id/targetHttpProxies/target-http-proxy-id
Compute Engine 全局目标 HTTPS 代理 projects/project-id/global/targetHttpsProxies/target-https-proxy-id
Compute Engine 地区目标 HTTPS 代理 projects/project-id/regions/region-id/targetHttpsProxies/target-https-proxy-id
Compute Engine 目标 SSL 代理 projects/project-id/global/targetSslProxies/target-ssl-proxy-id
Compute Engine 目标 TCP 代理 projects/project-id/global/targetTcpProxies/target-tcp-proxy-id
Google Kubernetes Engine 集群 projects/project-id/zones/zone-id/clusters/cluster-id
Dataform 编译结果 projects/project-id/locations/location/repositories/repository/compilationResults/compilation-result
Dataform 位置 projects/project-id/locations/location
Dataform 版本配置 projects/project-id/locations/location/repositories/repository/releaseConfigs/release-config
Dataform 代码库 projects/project-id/locations/location/repositories/repository
Dataform 工作流配置 projects/project-id/locations/location/repositories/repository/workflowConfigs/workflow-config
Dataform 工作流调用 projects/project-id/locations/location/repositories/repository/workflowInvocations/workflow-invocation
Dataform 工作区 projects/project-id/locations/location/repositories/repository/workspaces/workspace
Integration Connectors 连接 projects/project-id/locations/location/connections/connection-name
Integration Connectors 连接架构元数据 projects/project-id/locations/location/connections/connection-name/connectionSchemaMetadata
Integration Connectors 端点连接 projects/project-id/locations/location/endpointAttachments/endpoint-attachment-name
Integration Connectors 事件订阅 projects/project-id/locations/location/eventSubscriptions/event-subscription-name
Integration Connectors 代管式区域 projects/project-id/locations/global/managedZones/managed-zone-name
Pub/Sub Lite 位置 projects/project-number/locations/location
Pub/Sub Lite 订阅 projects/project-number/locations/location/subscriptions/subscription-id
Pub/Sub Lite 主题 projects/project-number/locations/location/topics/topic-id
Resource Manager 组织4 organizations/organization-name
Secret Manager 密文 projects/project-number/secrets/secret-id
Secret Manager Secret 版本5 projects/project-number/secrets/secret-id/versions/secret-version

1 对于 Cloud Storage,资源名称包含下划线 (_),而不是项目 ID。您不能将下划线替换为项目 ID、项目名称或项目编号。

2 使用整个托管式文件夹名称,包括正斜杠。在 Cloud Storage 中,这些字符是托管式文件夹名称的一部分,而不是路径分隔符。

3 使用完整的对象名称,包括正斜杠。在 Cloud Storage 中,这些字符是对象名称的一部分,而不是路径分隔符。

4 当您列出属于 Apigee 组织的任何类型的资源时,Apigee 会使用此格式。

5 如果条件评估 Secret 版本的资源名称,则请求中的 Secret 版本必须与条件中的 Secret 版本完全匹配才能满足条件。例如,如果条件中的版本为 latest,则只有版本为 latest 的请求才满足条件;即使 3 为最新版本,版本为 3 的请求也不满足条件。

资源标记

您可以将标记添加到组织、项目和文件夹。任何 Google Cloud 资源都可以沿用这些更高级别资源的标记。

您可以使用几种不同类型的标识符来引用标记键和值:

  • 永久 ID,它是全局唯一的,并且永远不能重复使用。例如,标记键可以具有永久 ID tagKeys/123456789012,而标记值可以是永久 ID tagValues/567890123456
  • 短名称。每个键的短名称必须在您的组织内具有唯一性,并且每个值的简短名称对于关联的键而言必须是唯一的。例如,标记键可以具有短名称 env,标记值可以简称为 prod
  • 命名空间名称:将组织的数字 ID 添加到标记键的简称。例如,标记键可以具有命名空间名称 123456789012/env了解如何获取组织 ID

具体标识符取决于您为组织创建的标记键和值。如需了解如何列出可用的标记键和值,请参阅列出标记键列出标记值