This page lists the resource types on which you can set allow policies.
Select a service to see which of its resource types support allow policies:
| Service | Resources that accept allow policies |
|---|---|
| Identity-Aware Proxy |
All web services Individual web services Tunnel Tunnel instances Tunnel zones Web service types Web service versions |
| Access Context Manager | Access policies |
| Analytics Hub |
Data exchanges Listings |
| API Gateway |
APIs Configs Gateways |
| Apigee | Environments |
| Apigee Registry |
APIs Artifacts Deployments Instances Runtime Specs Versions |
| Artifact Registry | Repositories |
| AutoML |
Datasets Locations Models |
| BeyondCorp Enterprise |
App connections App connectors App gateways Client connector services Client gateways |
| BigQuery |
Row access policies Tables |
| BigQuery Connection API | Connections |
| Cloud Bigtable |
Backups Instances Tables |
| Binary Authorization |
Attestors Policy |
| Cloud Billing | Billing accounts |
| Google Cloud Deploy |
Delivery pipelines Targets |
| Cloud Functions | Functions |
| Cloud Key Management Service |
Crypto keys EKM config EKM connections Import jobs Key rings |
| Resource Manager |
Folders Organizations Projects Tag keys Tag values |
| Cloud Tasks | Queues |
| Compute Engine |
Backend services Disks Firewall policies Images Instance templates Instances Licenses Machine images Network attachments Network firewall policies Node groups Node templates Region backend services Region disks Region network firewall policies Reservations Resource policies Service attachments Snapshots Subnetworks |
| Container Analysis |
Notes Occurrences |
| Data Catalog |
Entry groups Policy tags Tag templates Taxonomies |
| Dataform |
Repositories Workspaces |
| Cloud Data Fusion | Instances |
| Database Migration Service |
Connection profiles Conversion workspaces Migration jobs Private connections |
| Dataplex |
Aspect types Assets Attributes Content Content items Data attribute bindings Data scans Data taxonomies Entry groups Entry types Environments Lakes Tasks Zones |
| Dataproc |
Autoscaling policies Clusters Jobs Operations Workflow templates |
| Cloud Deployment Manager | Deployments |
| Cloud DNS | Managed zones |
| Cloud Domains | Registrations |
| Eventarc |
Channel connections Channels Triggers |
| Game Servers | Game server deployments |
| Backup for GKE |
Backup plans Backups Restore plans Restores Volume backups Volume restores |
| GKE Hub |
Features Memberships Scopes |
| Anthos clusters on VMware (GKE on-prem) |
Bare metal admin clusters Bare metal clusters Bare metal node pools VMware admin clusters VMware clusters VMware node pools |
| Cloud Healthcare API |
Consent stores Datasets DICOM stores FHIR stores HL7v2 stores |
| Identity and Access Management |
Service accounts Workforce identity pools |
| Cloud Intrusion Detection System | Endpoints |
| Managed Service for Microsoft Active Directory |
Backups Domains Peerings |
| Dataproc Metastore |
Backups Federations Services |
| AI Platform |
Jobs Models |
| Network Connectivity Center |
Hubs Policy-based routes Service classes Service connection maps Service connection policies Spokes |
| Network Management API | Connectivity tests |
| Network Security |
Address groups Authorization policies Client TLS policies Server TLS policies |
| Network Services |
Edge cache keysets Edge cache origins Edge cache services Endpoint policies Gateways Meshes Service bindings |
| Notebooks |
Instances Runtimes |
| Certificate Authority Service |
CA pools Certificate revocation lists Certificate templates |
| Pub/Sub |
Schemas Snapshots Subscriptions Topics |
| Cloud Run |
Jobs Services |
| Secret Manager | Secrets |
| Security Command Center | Sources |
| Service Directory |
Namespaces Services |
| Service Management |
Consumers Services |
| Cloud Source Repositories | Repos |
| Cloud Spanner |
Backups Databases Instances |
| Cloud Storage | Buckets |
| Cloud Workstations |
Workstation configs Workstations |