Identity and Access Management (IAM) lets you grant roles conditionally. However, some Google Cloud resources don't have their own allow policies, or they don't let you add conditional role bindings to their allow policies.
This page lists the resource types that have their own allow policies and accept conditional role bindings in their allow policies. If you need to grant conditional access to other resource types, see Resource types that don't accept conditions on this page.
Resource types that accept conditions
You can add conditions to allow policies for the following types of Google Cloud resources:
| Google Cloud service | Resource types |
|---|---|
| Binary Authorization |
|
| Certificate Authority Service |
|
| Bigtable (Bigtable) |
|
| Cloud Key Management Service (Cloud KMS) |
|
| Cloud Run |
|
| Spanner |
|
| Cloud Storage |
|
| Compute Engine |
|
| Identity-Aware Proxy (IAP) |
|
| Resource Manager |
|
| Secret Manager |
|
|
1 Available for buckets that use uniform bucket-level access. If you cannot enable uniform bucket-level access, you can add conditions to the allow policy for a higher-level resource, such as the project.
2 You can use the
|
|
Resource types that don't accept conditions
To grant conditional access to a resource type that doesn't have its own allow policy, or that doesn't accept conditional role bindings, you can grant the role on your organization or project. Other resources inherit those role bindings through the resource hierarchy.