When you refer to a principal in an Identity and Access Management (IAM) policy, you need to use the correct identifier for the principal. The format of the identifier depends on the type of principal you want to refer to and which version of the API you're using.
This page lists the identifier formats for each supported principal type for all API versions.
IAM v1
API
The following table describes the principal type identifiers for the
IAM v1
API.
Principal type | Identifier |
---|---|
User |
Example: |
Service account |
Example: |
Group |
Example: |
Domain |
Example: |
All users | allUsers |
All authenticated users | allAuthenticatedUsers |
Built-in resource identities | Only available for supported resources. The format varies depending on the resource. See Resources with built-in identities for details. |
Single identity in a workforce identity pool | principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE |
All workforce identities in a group | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID |
All workforce identities with a specific attribute value | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
All identities in a workforce identity pool | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/* |
Single identity in a workload identity pool | principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE |
Workload identity pool group | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID |
All identities in a workload identity pool with a certain attribute | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
All identities in a workload identity pool | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/* |
All GKE Pods that use a specific Kubernetes service account |
By service account name:
By service account ID:
Legacy format: |
All GKE Pods in a Kubernetes namespace, regardless of service account or cluster | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/namespace/NAMESPACE |
All GKE Pods in a specific cluster | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/kubernetes.cluster/https://container.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/clusters/CLUSTER_NAME |
Deleted user1 |
Example: |
Deleted service account1 |
Example: |
Deleted group1 |
Example: |
Deleted single identity in a workforce identity pool1 |
Example: |
1 Don't add deleted principals when creating or modifying policies.
IAM v2
API
The following table describes the principal type identifiers for the
IAM v2
API.
Principal type | Identifier |
---|---|
User |
Example: |
Service account |
Example: |
Group |
Example: |
All principals | principalSet://goog/public:all |
All principals in a Cloud Identity account (domain) |
Example: |
Single identity in a workforce identity pool | principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE |
All workforce identities in a group | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID |
All workforce identities with a specific attribute value | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
All identities in a workforce identity pool | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/* |
Single identity in a workload identity pool | principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE |
Workload identity pool group | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID |
All identities in a workload identity pool with a certain attribute | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
All identities in a workload identity pool | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/* |
Deleted user2 |
Example: |
Deleted service account2 |
Example: |
Deleted group2 |
Example: |
Deleted single identity in a workforce identity pool2 |
Example: |
1 Learn how to find your Cloud Identity customer ID.
2 Don't add deleted principals when creating or modifying policies.