Resource types that accept allow policies

This page lists the resource types on which you can set allow policies.

Select a service to see which of its resource types support allow policies:

Service	Resources that accept allow policies
BigQuery	Datasets Tables
Identity-Aware Proxy	All web services Individual web services Tunnel Tunnel instances Tunnel zones Web service types Web service versions
Access Context Manager	Access policies
Vertex AI	Entity types Featurestores Notebook runtime templates
Analytics Hub	Data exchanges Listings
API Gateway	APIs Configs Gateways
Apigee	Environments
Apigee Registry	APIs Artifacts Deployments Documents Instances Runtime Specs Versions
Artifact Registry	Repositories
AutoML	Datasets Locations Models
Backup and Disaster Recovery	Management servers
BeyondCorp Enterprise	App connections App connectors App gateways Browser DLP rules Client connector services Client gateways Partner tenants Proxy configs
BigQuery Connection API	Connections
BigQuery Data Policy	Data policies
Cloud Bigtable	Backups Instances Tables
Binary Authorization	Attestors Policy
Cloud Billing	Billing accounts
Cloud Build	Connections
Cloud Deploy	Delivery pipelines Targets
Cloud Functions	Functions
Cloud Key Management Service	Crypto keys EKM config EKM connections Import jobs Key rings
Resource Manager	Folders Organizations Projects Tag keys Tag values
Cloud Tasks	Queues
Compute Engine	Backend buckets Backend services Disks Firewall policies Images Instance templates Instances Licenses Machine images Network attachments Network firewall policies Node groups Node templates Region backend services Region disks Region network firewall policies Reservations Resource policies Service attachments Snapshots Subnetworks
Artifact Analysis	Notes Occurrences
Data Catalog	Entry groups Policy tags Tag templates Taxonomies
Dataform	Collections Repositories Workspaces
Cloud Data Fusion	Instances
Database Migration Service	Connection profiles Conversion workspaces Migration jobs Private connections
Dataplex	Aspect types Assets Attributes Content Content items Data attribute bindings Data scans Data taxonomies Entry groups Entry types Environments Governance rules Lakes Tasks Zones
Dataproc	Autoscaling policies Clusters Jobs Operations Workflow templates
Cloud Deployment Manager	Deployments
Cloud DNS	Managed zones
Cloud Domains	Registrations
Eventarc	Channel connections Channels Triggers
Backup for GKE	Backup plans Backups Restore plans Restores Volume backups Volume restores
GKE Hub	Features Memberships Scopes
GKE on VMware	Bare metal admin clusters Bare metal clusters Bare metal node pools VMware admin clusters VMware clusters VMware node pools
Cloud Healthcare API	Consent stores Datasets DICOM stores FHIR stores HL7v2 stores
Identity and Access Management	Service accounts Workforce identity pools
Cloud Intrusion Detection System	Endpoints
Looker	Backups Instances
Managed Service for Microsoft Active Directory	Backups Domains Peerings
Dataproc Metastore	Backups Federations Services
AI Platform	Jobs Models
Network Connectivity Center	Groups Hubs Policy-based routes Service classes Service connection maps Service connection policies Spokes
Network Management API	Connectivity tests
Network Security	Address groups Authorization policies Client TLS policies Server TLS policies
Network Services	Edge cache keysets Edge cache origins Edge cache services Endpoint policies Gateways Meshes Service bindings
Notebooks	Instances Runtimes
Certificate Authority Service	CA pools Certificate revocation lists Certificate templates
Pub/Sub	Schemas Snapshots Subscriptions Topics
Cloud Run	Jobs Services
Secret Manager	Secrets
Security Command Center	Sources
Service Directory	Namespaces Services
Service Management	Consumers Services
Cloud Source Repositories	Repos
Cloud Spanner	Backups Databases Instances
Cloud Storage	Buckets Managed folders
Google Cloud VMware Engine	Clusters HCX activation keys Private clouds
Cloud Workstations	Workstation configs Workstations