Stay organized with collections
Save and categorize content based on your preferences.
IAM Conditions for fine-grained access
This page describes how to restrict access to your connections by using IAM Conditions.
An IAM condition
lets you have granular control over your Integration Connectors resources. By default,
an Integration Connectors user or a role
can perform all the supported operations on a connection. By using IAM Conditions, you can
restrict a specific user or a role to do only selected operations on a connection. For example, you can restrict a user
such that the user can only modify the connections whose name begins with
test-connection, and will not have other permissions on the connections such as
subscribing to events, or viewing the schema metadata.
Before you begin
Integration Connectors uses Google Cloud's Identity and Access Management (IAM)
to manage roles and permissions for Integration Connectors resources. Therefore, before you specify or
modify conditions in IAM for your Integration Connectors resources, familiarize yourself with the following IAM concepts:
To add an IAM condition to an Integration Connectors resource, you need the following information:
Named Resource URI - Every resource in Integration Connectors has a unique
resource URI. For example, URI for the connection resource is
projects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/{connection_name}.
For the complete list of all the available URIs, see Integration Connectors REST resources.
To control access permissions for a resource at a granular level, you must name
your resource according to a naming convention. Based on your requirements, you can
decide the naming convention you want to use. For example, you can prefix the word
marketing- for all the connections owned by the marketing team. In this example, the resource
URI for the marketing team's connections, will begin with
projects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/marketing-.
Parent only permissions - Check if a resource or any of its child resource(s)
require the parent-only permission. For more information,
see Parent-only permissions.
Resource type - You can further narrow the scope of the resources by filtering for a
resource type in the condition. Integration Connectors supports conditions for the following resources:
A user or a role to whom you apply this condition, can only do the following operations:
List all connections.
Perform get, create, update, and delete operations only for connections whose name starts with marketing-.
Get connection schema metadata only for connections whose name starts with marketing-.
Adding IAM Conditions for Application Integration service accounts
You can apply IAM Conditions to the Application Integration service account, which lets you restrict the connections
the service account can access during integration execution. For example, you can restrict a
service account such that it can access only connections whose name begin with marketing-.
For more information, see Apply IAM Conditions
to a service account.
The following table lists the sample resource conditions that you can apply for an Application Integration service account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis content describes how to use IAM Conditions to manage granular access control for Integration Connectors resources, allowing for restriction of specific operations on connections for users or roles.\u003c/p\u003e\n"],["\u003cp\u003eIAM Conditions allow you to define access based on a named resource URI, parent-only permissions, and resource type, using a naming convention to group and manage access for specific connections.\u003c/p\u003e\n"],["\u003cp\u003eIntegration Connectors supports IAM conditions for resources like Connections, ManagedZones, EndpointAttachments, EventSubscriptions, and ConnectionSchemaMetadata, but note that parent permissions do not apply to child resources, and vice versa.\u003c/p\u003e\n"],["\u003cp\u003eIAM Conditions can be applied to both Integration Connectors users/roles and Application Integration service accounts, enabling restrictions such as allowing a service account to access only connections with a specific naming prefix.\u003c/p\u003e\n"],["\u003cp\u003eThe provided examples illustrate how to use \u003ccode\u003eresource.name.startsWith\u003c/code\u003e and \u003ccode\u003eresource.type\u003c/code\u003e in IAM conditions to limit operations on connections, including creating, deleting, updating, or even accessing schema metadata, based on specific naming conventions.\u003c/p\u003e\n"]]],[],null,["# IAM Conditions for fine-grained access\n\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nIAM Conditions for fine-grained access\n======================================\n\nThis page describes how to restrict access to your connections by using IAM Conditions.\n\nAn IAM condition\nlets you have granular control over your Integration Connectors resources. By default,\nan [Integration Connectors user or a role](/integration-connectors/docs/connectors-access-permissions)\ncan perform all the supported operations on a connection. By using IAM Conditions, you can\nrestrict a specific user or a role to do only selected operations on a connection. For example, you can restrict a user\nsuch that the user can only modify the connections whose name begins with\n`test-connection`, and will not have other permissions on the connections such as\nsubscribing to events, or viewing the schema metadata.\n\nBefore you begin\n----------------\n\nIntegration Connectors uses Google Cloud's [Identity and Access Management (IAM)](/iam/docs/overview)\nto manage roles and permissions for Integration Connectors resources. Therefore, before you specify or\nmodify conditions in IAM for your Integration Connectors resources, familiarize yourself with the following IAM concepts:\n\n- [Resource](/iam/docs/overview#resource)\n- [Resource hierarchy](/iam/docs/resource-hierarchy-access-control)\n- [Roles](/iam/docs/understanding-roles)\n- [Custom roles](/iam/docs/creating-custom-roles)\n- [Permissions](/iam/docs/overview#permissions)\n- [Parent-only permissions](/iam/docs/configuring-resource-based-access#parent-only)\n\nAdding IAM Conditions\n---------------------\n\nTo add an IAM condition to an Integration Connectors resource, you need the following information:\n\n- **Named Resource URI** - Every resource in Integration Connectors has a unique resource URI. For example, URI for the connection resource is `projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/locations/`\u003cvar translate=\"no\"\u003eCONNECTION_LOCATION\u003c/var\u003e`/connections/{connection_name}`. For the complete list of all the available URIs, see [Integration Connectors REST resources](/integration-connectors/docs/reference/rest). To control access permissions for a resource at a granular level, you must name your resource according to a naming convention. Based on your requirements, you can decide the naming convention you want to use. For example, you can prefix the word `marketing-` for all the connections owned by the marketing team. In this example, the resource URI for the marketing team's connections, will begin with `projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/locations/`\u003cvar translate=\"no\"\u003eCONNECTION_LOCATION\u003c/var\u003e`/connections/marketing-`.\n- **Parent only permissions** - Check if a resource or any of its child resource(s) require the parent-only permission. For more information, see [Parent-only permissions](/iam/docs/configuring-resource-based-access#parent-only).\n- **Resource type** - You can further narrow the scope of the resources by filtering for a resource type in the condition. Integration Connectors supports conditions for the following resources:\n\n| **Note:** Google Cloud's resources have a hierarchical structure, and the permissions that you apply to a parent resource doesn't propagate to the parent's child resource(s), and conversely the permissions that you apply to a child resource(s) don't apply to the child's parent. For example, if you have restricted a user to access only the connections whose name begins with `marketing-`, the user can still list (view) all the connections because the `list` permission is available on the connection's parent resource (location). However, the user can perform get, create, update, and delete operations only on the connections whose name begins with `marketing-`.\n\nExamples\n--------\n\nThe following table lists the sample resource conditions that you can apply for an Integration Connectors user or a role.\n\nAdding IAM Conditions for Application Integration service accounts\n------------------------------------------------------------------\n\nYou can apply IAM Conditions to the Application Integration service account, which lets you restrict the connections\nthe service account can access during integration execution. For example, you can restrict a\nservice account such that it can access only connections whose name begin with `marketing-`.\nFor more information, see [Apply IAM Conditions\nto a service account](/application-integration/docs/add-iam-conditions).\n\nThe following table lists the sample resource conditions that you can apply for an Application Integration service account.\n\n| **Note:** Currently, Integration Connectors supports only the `startsWith` constraint for a service account resource condition.\n\nWhat's next\n-----------\n\nGo through the following information in the IAM documentation:\n\n- [Adding a conditional role binding to a policy](/iam/docs/managing-conditional-role-bindings#add)\n- [Modify an existing conditional role binding](/iam/docs/managing-conditional-role-bindings#modify)\n- [Removing a conditional role binding](/iam/docs/managing-conditional-role-bindings#removing)"]]
