Resource types that accept conditional role bindings

Identity and Access Management (IAM) lets you grant roles conditionally. However, some Google Cloud resources don't have their own allow policies, or they don't let you add conditional role bindings to their allow policies.

This page lists the resource types that have their own allow policies and accept conditional role bindings in their allow policies. If you need to grant conditional access to other resource types, see Resource types that don't accept conditions on this page.

Resource types that accept conditions

You can add conditions to allow policies for the following types of Google Cloud resources:

Google Cloud service Resource types
Binary Authorization
  • Attestors
  • Policies
Certificate Authority Service
  • CA pools
  • Certificate revocation lists
  • Certificate templates
Bigtable (Bigtable)
  • Instances
  • Tables
Cloud Key Management Service (Cloud KMS)
  • Crypto keys
  • Key rings
Cloud Run
  • Services
Spanner
  • Backups
  • Databases
  • Instances
Cloud Storage
  • Buckets 1, 2
  • Managed folders
Compute Engine
  • Global backend services
  • Regional backend services
  • Firewalls
  • Images
  • Instance templates
  • Instances
  • Regional persistent disks
  • Zonal persistent disks
  • Snapshots
Identity-Aware Proxy (IAP)
  • All web services
  • Individual web services
  • Tunnels
  • Tunnel instances
  • Tunnel zones
  • Web service types
  • Web service versions
Resource Manager
  • Folders
  • Organizations
  • Projects
  • Tag keys
  • Tag values
Secret Manager
  • Secrets

1 Available for buckets that use uniform bucket-level access. If you cannot enable uniform bucket-level access, you can add conditions to the allow policy for a higher-level resource, such as the project.

2 You can use the resource.name attribute to refer to objects in Cloud Storage buckets. However, you must add the condition to the allow policy for a higher-level resource, such as the bucket or the project.

Resource types that don't accept conditions

To grant conditional access to a resource type that doesn't have its own allow policy, or that doesn't accept conditional role bindings, you can grant the role on your organization or project. Other resources inherit those role bindings through the resource hierarchy.