This topic contains a list of values that can be used for resource attributes in a condition, including string values for resource service, resource type, and the format for resource name strings.
You can use resource attributes to change the scope of the grant provided by a role binding. When a role contains permissions that apply to different kinds of resources, a condition can grant a subset of the role's permissions based on the resource service, resource type, and resource name.
Resource attributes are available for the Google Cloud services and resource types that are listed on this page. Other services and resource types do not recognize resource attributes.
For more information about Identity and Access Management (IAM) Conditions, see the following:
Resource service values
The following table lists the values that the resource service attribute can contain.
| Resource service value | REST reference |
|---|---|
apigee.googleapis.com |
API reference |
backupdr.googleapis.com |
API reference |
bigquery.googleapis.com |
API reference |
bigqueryreservation.googleapis.com |
API reference |
bigtableadmin.googleapis.com |
API reference |
binaryauthorization.googleapis.com |
API reference |
clouddeploy.googleapis.com |
API reference |
cloudkms.googleapis.com |
API reference |
cloudresourcemanager.googleapis.com |
API reference |
compute.googleapis.com |
API reference |
container.googleapis.com |
API reference |
connectors.googleapis.com |
API reference |
dataform.googleapis.com |
API reference |
firestore.googleapis.com |
API reference |
iap.googleapis.com |
API reference |
integrations.googleapis.com |
API reference |
logging.googleapis.com |
API reference |
managedkafka.googleapis.com |
API reference |
pubsublite.googleapis.com |
API reference |
secretmanager.googleapis.com |
API reference |
spanner.googleapis.com |
API reference |
sqladmin.googleapis.com |
API reference |
storage.googleapis.com |
API reference |
Resource type values
The following table lists the values that the resource type attribute can contain.
| Resource type value | Reference |
|---|---|
apigee.googleapis.com/ApiProduct |
Read more |
apigee.googleapis.com/ApiProductAttribute |
Read more |
apigee.googleapis.com/Cache |
Read more |
apigee.googleapis.com/Developer |
Read more |
apigee.googleapis.com/DeveloperApp |
Read more |
apigee.googleapis.com/DeveloperAppAttribute |
Read more |
apigee.googleapis.com/DeveloperAttribute |
Read more |
apigee.googleapis.com/Export |
Read more |
apigee.googleapis.com/FlowHook |
Read more |
apigee.googleapis.com/KeyStore |
Read more |
apigee.googleapis.com/KeyStoreAlias |
Read more |
apigee.googleapis.com/KeyValueEntry |
Read more |
apigee.googleapis.com/KeyValueMap |
Read more |
apigee.googleapis.com/Proxy |
Read more |
apigee.googleapis.com/ProxyRevision |
Read more |
apigee.googleapis.com/Query |
Read more |
apigee.googleapis.com/RatePlan |
Read more |
apigee.googleapis.com/Reference |
Read more |
apigee.googleapis.com/SharedFlow |
Read more |
apigee.googleapis.com/SharedFlowRevision |
Read more |
apigee.googleapis.com/TargetServer |
Read more |
apigee.googleapis.com/TraceSession |
Read more |
backupdr.googleapis.com/BackupVaults |
Read more |
bigquery.googleapis.com/Dataset |
Read more |
bigquery.googleapis.com/Model |
Read more |
bigquery.googleapis.com/Routine |
Read more |
bigquery.googleapis.com/Table |
Read more |
bigqueryreservation.googleapis.com/Assignment |
Read more |
bigqueryreservation.googleapis.com/BiReservation |
Read more |
bigqueryreservation.googleapis.com/CapacityCommitment |
Read more |
bigqueryreservation.googleapis.com/Location |
Read more |
bigqueryreservation.googleapis.com/Reservation |
Read more |
bigtableadmin.googleapis.com/AppProfile |
Read more |
bigtableadmin.googleapis.com/Backup |
Read more |
bigtableadmin.googleapis.com/Cluster |
Read more |
bigtableadmin.googleapis.com/Instance |
Read more |
bigtableadmin.googleapis.com/Table |
Read more |
binaryauthorization.googleapis.com/Attestor |
Read more |
binaryauthorization.googleapis.com/ContinuousValidationConfig |
Read more |
binaryauthorization.googleapis.com/Policy |
Read more |
cloud.googleapis.com/Location1 |
Read more |
cloudkms.googleapis.com/CryptoKey |
Read more |
cloudkms.googleapis.com/CryptoKeyVersion |
Read more |
cloudkms.googleapis.com/KeyRing |
Read more |
cloudresourcemanager.googleapis.com/Project2 |
Read more |
compute.googleapis.com/BackendService |
Read more |
compute.googleapis.com/Disk |
Read more |
compute.googleapis.com/Firewall |
Read more |
compute.googleapis.com/ForwardingRule |
Read more |
compute.googleapis.com/GlobalForwardingRule |
Read more |
compute.googleapis.com/Image |
Read more |
compute.googleapis.com/Instance |
Read more |
compute.googleapis.com/InstanceTemplate |
Read more |
compute.googleapis.com/Snapshot |
Read more |
compute.googleapis.com/TargetHttpProxy |
Read more |
compute.googleapis.com/TargetHttpsProxy |
Read more |
compute.googleapis.com/TargetSslProxy |
Read more |
compute.googleapis.com/TargetTcpProxy |
Read more |
connectors.googleapis.com/Connection |
Read more |
connectors.googleapis.com/ConnectionSchemaMetadata |
Read more |
connectors.googleapis.com/EndpointAttachment |
Read more |
connectors.googleapis.com/EventSubscription |
Read more |
connectors.googleapis.com/ManagedZone |
Read more |
container.googleapis.com/Clusters |
Read more |
dataform.googleapis.com/CompilationResult |
Read more |
dataform.googleapis.com/Location |
Read more |
dataform.googleapis.com/ReleaseConfig |
Read more |
dataform.googleapis.com/Repository |
Read more |
dataform.googleapis.com/WorkflowConfig |
Read more |
dataform.googleapis.com/WorkflowInvocation |
Read more |
dataform.googleapis.com/Workspace |
Read more |
firestore.googleapis.com/Database |
Read more |
iap.googleapis.com/Tunnel |
Read more |
iap.googleapis.com/TunnelInstance |
Read more |
iap.googleapis.com/TunnelZone |
Read more |
iap.googleapis.com/Web |
Read more |
iap.googleapis.com/WebService |
Read more |
iap.googleapis.com/WebServiceVersion |
Read more |
iap.googleapis.com/WebType |
Read more |
integrations.googleapis.com/AuthConfig |
Read more |
integrations.googleapis.com/Execution |
Read more |
integrations.googleapis.com/Integration |
Read more |
integrations.googleapis.com/IntegrationVersion |
Read more |
integrations.googleapis.com/Location |
n/a |
integrations.googleapis.com/Suspension |
Read more |
logging.googleapis.com/LogBucket |
Read more |
logging.googleapis.com/LogView |
Read more |
managedkafka.googleapis.com/Cluster |
Read more |
managedkafka.googleapis.com/ConsumerGroup |
Read more |
managedkafka.googleapis.com/Operation |
Read more |
managedkafka.googleapis.com/Topic |
Read more |
pubsublite.googleapis.com/Location |
Read more |
pubsublite.googleapis.com/Subscription |
Read more |
pubsublite.googleapis.com/Topic |
Read more |
secretmanager.googleapis.com/Secret |
Read more |
secretmanager.googleapis.com/SecretVersion |
Read more |
spanner.googleapis.com/Backup |
Read more |
spanner.googleapis.com/Database |
Read more |
spanner.googleapis.com/Instance |
Read more |
sqladmin.googleapis.com/BackupRun |
Read more |
sqladmin.googleapis.com/Instance |
Read more |
storage.googleapis.com/Bucket |
Read more |
storage.googleapis.com/ManagedFolder |
Read more |
storage.googleapis.com/Object |
Read more |
1 Cloud Key Management Service uses this resource type as the parent of key ring resources.
2 Apigee uses this resource type as the parent of any resource that belongs to an Apigee organization.
Resource name format
The following table lists the format of each type of resource name attribute.
| Resource reference | Resource name format template |
|---|---|
| Apigee API product attributes | organizations/organization-name/apiproducts/product-id/attributes/attribute-id |
| Apigee API products | organizations/organization-name/apiproducts/product-id |
| Apigee API proxies | organizations/organization-name/apis/proxy-id |
| Apigee API proxy key-value map entries | organizations/organization-name/api/proxy-id/keyvaluemaps/keyvaluemap-id/entries/entry-id |
| Apigee API proxy key-value maps | organizations/organization-name/apis/proxy-id/keyvaluemaps/key-value-map-id |
| Apigee API proxy revisions | organizations/organization-name/apis/proxy-id/revisions/revision-id |
| Apigee caches | organizations/organization-name/environments/environment-id/caches/cache-id |
| Apigee developer app attributes | organizations/organization-name/developers/developer-id/apps/app-id/attributes/attribute-id |
| Apigee developer apps | organizations/organization-name/developers/developer-id/apps/app-id |
| Apigee developer attributes | organizations/organization-name/developers/developer-id/attributes/attribute-id |
| Apigee developers | organizations/organization-name/developers/developer-id |
| Apigee environment key-value map entries | organizations/organization-name/environments/environment-id/keyvaluemaps/keyvaluemap-id/entries/entry-id |
| Apigee environment key-value maps | organizations/organization-name/environments/environment/keyvaluemaps/key-value-map-id |
| Apigee exports | organizations/organization-name/environments/environment-id/analytics/exports/export-id |
| Apigee flow hooks | organizations/organization-name/environments/environment-id/flowhooks/flowhook-id |
| Apigee keystore aliases | organizations/organization-name/environments/environment-id/keystores/keystore-id/aliases/alias-id |
| Apigee keystores | organizations/organization-name/environments/environment-id/keystores/keystore-id |
| Apigee queries | organizations/organization-name/environments/environment-id/queries/query-id |
| Apigee rate plans | organizations/organization-name/apiproducts/product-id/rateplans/rate-plan-id |
| Apigee references | organizations/organization-name/environments/environment-id/references/reference-id |
| Apigee shared flow revisions | organizations/organization-name/sharedflows/shared-flow-id/revisions/revision-id |
| Apigee shared flows | organizations/organization-name/sharedflows/shared-flow-id |
| Apigee target servers | organizations/organization-name/environments/environment-id/targetservers/targetserver-id |
| Apigee trace (debug) sessions | organizations/organization-name/environments/environment-id/apis/proxy-id/revisions/revision-id/debugsessions/session-id |
| Backup and DR Service backupVaults | projects/project-id/locations/location-id/backupVaults/backup-vault-id |
| BigQuery datasets | projects/project-id/datasets/dataset-id |
| BigQuery models | projects/project-id/datasets/dataset-id/models/model-id |
| BigQuery routines | projects/project-id/datasets/dataset-id/routines/routine-id |
| BigQuery tables | projects/project-id/datasets/dataset-id/tables/table-id |
| BigQuery Reservation API assignments | projects/project-id/locations/location-id/reservations/reservation-id/assignments/assignment-id |
| BigQuery Reservation API BI reservations | projects/project-id/locations/location-id/biReservation |
| BigQuery Reservation API capacity commitments | projects/project-id/locations/location-id/capacityCommitments/capacity-commitment-id |
| BigQuery Reservation API locations | projects/project-id/locations/location-id |
| BigQuery Reservation API reservations | projects/project-id/locations/location-id/reservations/reservation-id |
| Binary Authorization attestors | projects/project-number/attestors/attestor-id |
| Binary Authorization continuous validation configs | projects/project-number/continuousValidationConfig |
| Binary Authorization policies | projects/project-number/policy |
| Bigtable appProfiles | projects/project-number/instances/instance-id/appProfiles/appProfile-id |
| Bigtable backups | projects/project-number/instances/instance-id/clusters/cluster-id/backups/backup-id |
| Bigtable clusters | projects/project-number/instances/instance-id/clusters/cluster-id |
| Bigtable instances | projects/project-number/instances/instance-id |
| Bigtable tables | projects/project-number/instances/instance-id/tables/table-id |
| Cloud Deploy automation runs | projects/project-id/locations/location-id/deliveryPipelines/delivery-pipeline-id/automationRuns/automation-run-id |
| Cloud Deploy automations | projects/project-id/locations/location-id/deliveryPipelines/delivery-pipeline-id/automations/automation-id |
| Cloud Deploy custom target types | projects/project-id/locations/location-id/customTargetTypes/custom-target-type-id |
| Cloud Deploy delivery pipelines | projects/project-id/locations/location-id/deliveryPipelines/delivery-pipeline-id |
| Cloud Deploy job runs | projects/project-id/locations/location-id/deliveryPipelines/delivery-pipeline-id/releases/release-id/rollouts/rollout-id/jobRuns/job-run-id |
| Cloud Deploy releases | projects/project-id/locations/location-id/deliveryPipelines/delivery-pipeline-id/releases/release-id |
| Cloud Deploy rollouts | projects/project-id/locations/location-id/deliveryPipelines/delivery-pipeline-id/releases/release-id/rollouts/rollout-id |
| Cloud Deploy targets | projects/project-id/locations/location-id/targets/target-id |
| Firestore databases | projects/project-id/databases/database-id |
| Cloud Key Management Service crypto keys | projects/project-id/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id |
| Cloud Key Management Service crypto key versions | projects/project-id/locations/location-id/keyRings/keyring-id/cryptoKeys/cryptokey-id/cryptoKeyVersions/cryptokeyversion-id |
| Cloud Key Management Service key rings | projects/project-id/locations/location-id/keyRings/keyring-id |
| Cloud Logging log buckets | projects/project-id/locations/location-id/buckets/bucket-id |
| Cloud Logging log views | projects/project-id/locations/location-id/buckets/bucket-id/views/view-id |
| Spanner backups | projects/project-id/instances/instance-id/backups/backup-id |
| Spanner databases | projects/project-id/instances/instance-id/databases/database-id |
| Spanner instances | projects/project-id/instances/instance-id |
| Cloud SQL backup runs | projects/project-id/instances/instance-id/backupRuns/backup-id |
| Cloud SQL instances | projects/project-id/instances/instance-id |
| Cloud Storage buckets1 | projects/_/buckets/bucket-name |
| Cloud Storage managed folders1, 2 | projects/_/buckets/bucket-name/managedFolders/managed-folder-name |
| Cloud Storage objects1, 3 | projects/_/buckets/bucket-name/objects/object-name |
| Compute Engine global backend services | projects/project-id/global/backendServices/backend-service-id |
| Compute Engine regional backend services | projects/project-id/regions/region-id/backendServices/backend-service-id |
| Compute Engine firewalls | projects/project-id/global/firewalls/firewall-id |
| Compute Engine global forwarding rules | projects/project-id/global/forwardingRules/forwarding-rule-id |
| Compute Engine regional forwarding rules | projects/project-id/regions/region-id/forwardingRules/forwarding-rule-id |
| Compute Engine images | projects/project-id/global/images/image-id |
| Compute Engine instance templates | projects/project-id/global/instanceTemplates/instance-template-id |
| Compute Engine instances | projects/project-id/zones/zone-id/instances/instance-id |
| Compute Engine regional persistent disks | projects/project-id/regions/region-id/disks/disk-id |
| Compute Engine zonal persistent disks | projects/project-id/zones/zone-id/disks/disk-id |
| Compute Engine snapshots | projects/project-id/global/snapshots/snapshot-id |
| Compute Engine global target HTTP proxies | projects/project-id/global/targetHttpProxies/target-http-proxy-id |
| Compute Engine regional target HTTP proxies | projects/project-id/regions/region-id/targetHttpProxies/target-http-proxy-id |
| Compute Engine global target HTTPS proxies | projects/project-id/global/targetHttpsProxies/target-https-proxy-id |
| Compute Engine regional target HTTPS proxies | projects/project-id/regions/region-id/targetHttpsProxies/target-https-proxy-id |
| Compute Engine target SSL proxies | projects/project-id/global/targetSslProxies/target-ssl-proxy-id |
| Compute Engine target TCP proxies | projects/project-id/global/targetTcpProxies/target-tcp-proxy-id |
| Google Kubernetes Engine clusters | projects/project-id/locations/location/clusters/cluster-id |
| Dataform compilation results | projects/project-id/locations/location/repositories/repository/compilationResults/compilation-result |
| Dataform locations | projects/project-id/locations/location |
| Dataform release configs | projects/project-id/locations/location/repositories/repository/releaseConfigs/release-config |
| Dataform repositories | projects/project-id/locations/location/repositories/repository |
| Dataform workflow configs | projects/project-id/locations/location/repositories/repository/workflowConfigs/workflow-config |
| Dataform workflow invocations | projects/project-id/locations/location/repositories/repository/workflowInvocations/workflow-invocation |
| Dataform workspaces | projects/project-id/locations/location/repositories/repository/workspaces/workspace |
| Integration Connectors connections | projects/project-id/locations/location/connections/connection-name |
| Integration Connectors connection schema metadata | projects/project-id/locations/location/connections/connection-name/connectionSchemaMetadata |
| Integration Connectors endpoint attachments | projects/project-id/locations/location/endpointAttachments/endpoint-attachment-name |
| Integration Connectors event subscriptions | projects/project-id/locations/location/eventSubscriptions/event-subscription-name |
| Integration Connectors managed zones | projects/project-id/locations/global/managedZones/managed-zone-name |
| Google Cloud Managed Service for Apache Kafka clusters | projects/project-number/locations/location/clusters/cluster-name |
| Google Cloud Managed Service for Apache Kafka consumer groups | projects/project-number/locations/location/clusters/cluster-name/consumerGroups/consumer-group |
| Google Cloud Managed Service for Apache Kafka operations | projects/project-number/locations/location/operations/operation |
| Google Cloud Managed Service for Apache Kafka topics | projects/project-number/locations/location/clusters/cluster-name/topics/topic-name |
| Pub/Sub Lite locations | projects/project-number/locations/location |
| Pub/Sub Lite subscriptions | projects/project-number/locations/location/subscriptions/subscription-id |
| Pub/Sub Lite topics | projects/project-number/locations/location/topics/topic-id |
| Resource Manager organizations4 | organizations/organization-name |
| Secret Manager secrets | projects/project-number/secrets/secret-id |
| Secret Manager secret versions5 | projects/project-number/secrets/secret-id/versions/secret-version |
1 For Cloud Storage, resource names contain an underscore (_)
rather than a project ID. You cannot replace the underscore with a project ID,
project name, or project number.
2 Use the entire managed folder name, including forward slashes. In Cloud Storage, these characters are part of the managed folder name, not path separators.
3 Use the entire object name, including forward slashes. In Cloud Storage, these characters are part of the object name, not path separators.
4 Apigee uses this format when you list any type of resource that belongs to an Apigee organization.
5 If a condition evaluates the resource name for a secret version,
the secret version in the request must exactly match the secret version in the
condition for the condition to be satisfied. For example, if the version in the
condition is latest, only a request with the version latest satisfies the
condition; a request with the version 3 does not satisfy the condition, even
if 3 is the latest version.
Resource tags
You can attach tags to organizations, projects, and folders. Any Google Cloud resource can inherit tags from these higher-level resources.
You can use a few different types of identifiers to refer to tag keys and values:
-
A permanent ID, which is globally unique and can never be reused. For example, a tag
key could have the permanent ID
tagKeys/123456789012, and a tag value could have the permanent IDtagValues/567890123456. -
A short name. The short name for each key must be unique within the project or
organization under which the key is defined, and the short name for each value must be unique
for its associated key. For example, a tag key could have the short name
env, and a tag value could have the short nameprod. -
A namespaced name, which adds your organization's numeric ID or project's ID to the
short name of a tag key. For example, a tag key created for an organization could have the
namespaced name
123456789012/env. To learn how to get your organization ID, see Getting your organization resource ID. A tag key created for a project could have the namespaced namemyproject/env. To learn how to get your project ID, see Identifying projects.
The specific identifiers depend on the tag keys and values that you have created for your organization. To learn how to list the tag keys and values that are available to you, see Listing tag keys and Listing tag values.