IAM Conditions for fine-grained access
This page describes how to restrict access to your connections by using IAM Conditions.
An IAM condition
lets you have granular control over your Integration Connectors resources. By default,
an Integration Connectors user or a role
can perform all the supported operations on a connection. By using IAM Conditions, you can
restrict a specific user or a role to do only selected operations on a connection. For example, you can restrict a user
such that the user can only modify the connections whose name begins with
test-connection
, and will not have other permissions on the connections such as
subscribing to events, or viewing the schema metadata.
Before you begin
Integration Connectors uses Google Cloud's Identity and Access Management (IAM) to manage roles and permissions for Integration Connectors resources. Therefore, before you specify or modify conditions in IAM for your Integration Connectors resources, familiarize yourself with the following IAM concepts:
Adding IAM Conditions
To add an IAM condition to an Integration Connectors resource, you need the following information:
- Named Resource URI - Every resource in Integration Connectors has a unique
resource URI. For example, URI for the connection resource is
projects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/{connection_name}
. For the complete list of all the available URIs, see Integration Connectors REST resources. To control access permissions for a resource at a granular level, you must name your resource according to a naming convention. Based on your requirements, you can decide the naming convention you want to use. For example, you can prefix the wordmarketing-
for all the connections owned by the marketing team. In this example, the resource URI for the marketing team's connections, will begin withprojects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/marketing-
. - Parent only permissions - Check if a resource or any of its child resource(s) require the parent-only permission. For more information, see Parent-only permissions.
- Resource type - You can further narrow the scope of the resources by filtering for a
resource type in the condition. Integration Connectors supports conditions for the following resources:
Resource name Resource type Connection connectors.googleapis.com/Connection ManagedZone connectors.googleapis.com/ManagedZone EndpointAttachment connectors.googleapis.com/EndpointAttachment EventSubscription connectors.googleapis.com/EventSubscription ConnectionSchemaMetadata connectors.googleapis.com/ConnectionSchemaMetadata
Examples
The following table lists the sample resource conditions that you can apply for an Integration Connectors user or a role.
IAM resource condition | Description |
---|---|
(resource.name.startsWith ("projects/PROJECT_ID/locations/CONNECTION_LOCATION/ connections/marketing-") && resource.type == "connectors.googleapis.com/Connection")) || resource.type != "connectors.googleapis.com/Connection" |
A user or a role to whom you apply this condition, can only do the following operations:
|
(resource.name.startsWith ("projects/PROJECT_ID/locations/CONNECTION_LOCATION/ connections/marketing-") && resource.type == "connectors.googleapis.com/Connection") || (resource.name.startsWith ("projects/PROJECT_ID/locations/CONNECTION_LOCATION/ connections/marketing-") && resource.type == "connectors.googleapis.com/ConnectionSchemaMetadata") || (resource.type != "connectors.googleapis.com/Connection" && resource.type != "connectors.googleapis.com/ConnectionSchemaMetadata") |
A user or a role to whom you apply this condition, can only do the following operations:
|
Adding IAM Conditions for Application Integration service accounts
You can apply IAM Conditions to the Application Integration service account, which lets you restrict the connections
the service account can access during integration execution. For example, you can restrict a
service account such that it can access only connections whose name begin with marketing-
.
For more information, see Apply IAM Conditions
to a service account.
The following table lists the sample resource conditions that you can apply for an Application Integration service account.
IAM resource condition | Description |
---|---|
resource.name.startsWith ("projects/PROJECT_ID/locations/CONNECTION_LOCATION/ connections/marketing-") |
The service account to which you apply this condition, can run only those connections whose name starts with marketing- . |
What's next
Go through the following information in the IAM documentation:
- Adding a conditional role binding to a policy
- Modify an existing conditional role binding
- Removing a conditional role binding