Supported condition attributes
This topic contains a list of values that can be used for resource attributes in a condition, including string values for resource service, resource type, and the format for resource name strings. You can use resource attributes to change the scope of the grant provided by a role binding. When a role contains permissions that apply to different kinds of resources, a condition can grant a subset of the role's permissions based on the resource service, resource type, and resource name. Resource attributes are available for the Google Cloud services and resource types that are listed on this page. Other services and resource types do not support resource attributes. You cannot replace the underscore with a project ID, project name, or project number. For example, if the version in the condition is latest , only a request with the version latest satisfies the condition; a request with the version 3 does not satisfy the condition, even if 3 is the latest version. Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4. For details, see the Google Developers Site Policies. Why Google close Groundbreaking solutions.
This feature allows you to define and enforce conditional, attribute-based access control for Google Cloud resources. With IAM Conditions, you can choose to grant resource access to identities members only if configured conditions are met. For example, this could be done to configure temporary access for users in the event of a production issue or to limit access to resources only for employees making requests from your corporate office. Conditions are specified in the role bindings of a resource's IAM policy. When a condition exists, the access request is only granted if the condition expression evaluates to true. Each condition expression is defined as a set of logic statements allowing you to specify one or more attributes to check. IAM policies comprise one or more role bindings , which have the following structure:. The condition object is optional, and each role binding can contain zero or one condition.
However, do not use your AWS account root user access key. The access key for your AWS account root user gives full access to all your resources for all AWS services, including your billing information. You cannot reduce the permissions associated with your AWS account root user access key. Therefore, protect your root user access key like you would your credit card numbers or any other sensitive secret. Here are some ways to do that:. If you don't already have an access key for your AWS account root user, don't create one unless you absolutely need to. Instead, use your account email address and password to sign in to the AWS Management Console and create an IAM user for yourself that has administrative permissions. If you do have an access key for your AWS account root user, delete it.