Custom constraint supported services

Custom organization policies allow administrators to define their own restrictions on Google Cloud services. For more information about custom constraints, see the Custom organization policy overview.

Each service defines the set of custom constraint fields that can be used to enforce organization policies on their service resources. See the list of supported service resources to learn which Google Cloud services support custom constraints. To learn how to create custom constraints, see Creating and managing custom constraints.

Supported service resources

Resources associated with the following services can be subjected to custom constraints. Not all resource attributes are available for these resources. See the service-specific documentation to find the resources and attributes that are available for use.

Google Cloud service	Resource type	Launch status
AlloyDB for PostgreSQL	`alloydb.googleapis.com/Instance`	Preview
Artifact Registry	`artifactregistry.googleapis.com/Repository`	GA
Google Cloud Armor	`compute.googleapis.com/NetworkEdgeSecurityService`	GA
Google Cloud Armor	`compute.googleapis.com/SecurityPolicy`	GA
Cloud Bigtable Admin API	`bigtableadmin.googleapis.com/AppProfile`	GA
	`bigtableadmin.googleapis.com/Backup`	GA
	`bigtableadmin.googleapis.com/Cluster`	GA
	`bigtableadmin.googleapis.com/Instance`	GA
	`bigtableadmin.googleapis.com/Table`	GA
BigQuery Data Transfer Service	`bigquerydatatransfer.googleapis.com/TransferConfig`	GA
Cloud Build	`cloudbuild.googleapis.com/BitbucketServerConfig`	GA
	`cloudbuild.googleapis.com/BuildTrigger`	GA
	`cloudbuild.googleapis.com/Connection`	GA
	`cloudbuild.googleapis.com/GithubEnterpriseConfig`	GA
	`cloudbuild.googleapis.com/Repository`	GA
	`cloudbuild.googleapis.com/WorkerPool`	GA
Google Cloud Contact Center as a Service	`contactcenteraiplatform.googleapis.com/ContactCenter`	Preview
Certificate Manager	`certificatemanager.googleapis.com/Certificate`	GA
	`certificatemanager.googleapis.com/CertificateIssuanceConfig`	GA
	`certificatemanager.googleapis.com/CertificateMap`	GA
	`certificatemanager.googleapis.com/CertificateMapEntry`	GA
	`certificatemanager.googleapis.com/DnsAuthorization`	GA
	`certificatemanager.googleapis.com/TrustConfig`	GA
Identity Platform	`identitytoolkit.googleapis.com/Config`	GA
	`identitytoolkit.googleapis.com/DefaultSupportedIdpConfig`	GA
	`identitytoolkit.googleapis.com/InboundSamlConfig`	GA
	`identitytoolkit.googleapis.com/OauthIdpConfig`	GA
	`identitytoolkit.googleapis.com/Tenant`	GA
Cloud Run functions	`cloudfunctions.googleapis.com/Function`	GA
Cloud Run	`run.googleapis.com/Job`	GA
Cloud Run	`run.googleapis.com/Service`	GA
Compute Engine	`compute.googleapis.com/Disk`	GA
	`compute.googleapis.com/Image`	GA
	`compute.googleapis.com/Instance`	GA
Cloud Data Fusion	`datafusion.googleapis.com/DnsPeering`	GA
Cloud Data Fusion	`datafusion.googleapis.com/Instance`	GA
Dataflow	`dataflow.googleapis.com/Job`	GA
Dataproc	`dataproc.googleapis.com/Cluster`	GA
Dataproc Serverless	`dataproc.googleapis.com/Batch`	GA
Developer Connect	`developerconnect.googleapis.com/Connection`	GA
Developer Connect	`developerconnect.googleapis.com/GitRepositoryLink`	GA
Cloud DNS	`dns.googleapis.com/ManagedZone`	GA
Cloud DNS	`dns.googleapis.com/Policy`	GA
Firestore	`firestore.googleapis.com/Database`	GA
Cloud Next Generation Firewall	`compute.googleapis.com/Firewall`	GA
Cloud Next Generation Firewall	`compute.googleapis.com/FirewallPolicy`	GA
GKE attached clusters	`gkemulticloud.googleapis.com/AttachedCluster`	GA
GKE on AWS	`gkemulticloud.googleapis.com/AwsCluster`	GA
GKE on AWS	`gkemulticloud.googleapis.com/AwsNodePool`	GA
GKE on Azure	`gkemulticloud.googleapis.com/AzureClient`	GA
	`gkemulticloud.googleapis.com/AzureCluster`	GA
	`gkemulticloud.googleapis.com/AzureNodePool`	GA
GKE	`container.googleapis.com/Cluster`	GA
GKE	`container.googleapis.com/NodePool`	GA
Hub	`gkehub.googleapis.com/Feature`	GA
	`gkehub.googleapis.com/Fleet`	GA
	`gkehub.googleapis.com/Membership`	GA
	`gkehub.googleapis.com/MembershipBinding`	GA
	`gkehub.googleapis.com/Namespace`	GA
	`gkehub.googleapis.com/RBACRoleBinding`	GA
	`gkehub.googleapis.com/Scope`	GA
Identity and Access Management	`iam.googleapis.com/AllowPolicy`	GA
	`iam.googleapis.com/ServiceAccount`	GA
	`iam.googleapis.com/ServiceAccountKey`	GA
Cloud Interconnect	`compute.googleapis.com/Interconnect`	GA
Cloud Interconnect	`compute.googleapis.com/InterconnectAttachment`	GA
Cloud Key Management Service	`cloudkms.googleapis.com/AutokeyConfig`	GA
	`cloudkms.googleapis.com/CryptoKey`	GA
	`cloudkms.googleapis.com/CryptoKeyVersion`	GA
	`cloudkms.googleapis.com/EkmConfig`	GA
	`cloudkms.googleapis.com/EkmConnection`	GA
	`cloudkms.googleapis.com/ImportJob`	GA
	`cloudkms.googleapis.com/KeyHandle`	GA
Cloud Load Balancing	`compute.googleapis.com/BackendBucket`	GA
	`compute.googleapis.com/BackendService`	GA
	`compute.googleapis.com/ForwardingRule`	GA
	`compute.googleapis.com/HealthCheck`	GA
	`compute.googleapis.com/InstanceGroup`	GA
	`compute.googleapis.com/NetworkEndpointGroup`	GA
	`compute.googleapis.com/SslPolicy`	GA
	`compute.googleapis.com/TargetGrpcProxy`	GA
	`compute.googleapis.com/TargetHttpProxy`	GA
	`compute.googleapis.com/TargetHttpsProxy`	GA
	`compute.googleapis.com/TargetInstance`	GA
	`compute.googleapis.com/TargetPool`	GA
	`compute.googleapis.com/TargetSslProxy`	GA
	`compute.googleapis.com/TargetTcpProxy`	GA
	`compute.googleapis.com/UrlMap`	GA
	`networkservices.googleapis.com/ServiceLbPolicy`	GA
Memorystore	`redis.googleapis.com/Instance`	GA
Memorystore for Redis Cluster	`redis.googleapis.com/Cluster`	GA
Private Service Connect	`compute.googleapis.com/NetworkAttachment`	GA
Private Service Connect	`compute.googleapis.com/ServiceAttachment`	GA
Pub/Sub	`pubsub.googleapis.com/Schema`	GA
	`pubsub.googleapis.com/Snapshot`	GA
	`pubsub.googleapis.com/Subscription`	GA
	`pubsub.googleapis.com/Topic`	GA
reCAPTCHA	`recaptchaenterprise.googleapis.com/FirewallPolicy`	GA
reCAPTCHA	`recaptchaenterprise.googleapis.com/Key`	GA
Cloud Router, Cloud NAT	`compute.googleapis.com/Router`	GA
Secret Manager	`secretmanager.googleapis.com/Secret`	GA
Serverless VPC Access	`vpcaccess.googleapis.com/Connector`	GA
Service Extensions	`networkservices.googleapis.com/LbRouteExtension`	GA
Service Extensions	`networkservices.googleapis.com/LbTrafficExtension`	GA
Cloud SQL	`sqladmin.googleapis.com/BackupRun`	GA
Cloud SQL	`sqladmin.googleapis.com/Instance`	GA
Secure Source Manager	`securesourcemanager.googleapis.com/Instance`	GA
Cloud Storage	`storage.googleapis.com/Bucket`	GA
Virtual Private Cloud	`compute.googleapis.com/Network`	GA
	`compute.googleapis.com/PacketMirroring`	GA
	`compute.googleapis.com/Route`	GA
	`compute.googleapis.com/Subnetwork`	GA
Cloud VPN	`compute.googleapis.com/ExternalVpnGateway`	GA
	`compute.googleapis.com/TargetVpnGateway`	GA
	`compute.googleapis.com/VpnGateway`	GA
	`compute.googleapis.com/VpnTunnel`	GA