Identity and Access Management (IAM) Conditions lets you to define and enforce conditional, attribute-based access control for Google Cloud resources, including Application Integration resources. For more information about IAM Conditions, see Overview of IAM Conditions.
In Application Integration, you can enforce conditional access based on the following attributes:
Date/time attributes:
Use to set temporary (expiring), scheduled, or limited-duration
access to Application Integration resources. For example, you can
allow a user to access an integration until a specified date. For more information, see Configuring temporary access.
Resource attributes:
Use to configure conditional access based on a resource name, resource type,
or resource service attributes.
For example, you can allow a user to manage integrations that are created in a specific region. For a list of supported values. For more information, see Configuring resource-based access.
Add IAM condition
To add an IAM condition to a existing principal (user, group, or service account), perform the following steps:
From the list of principals, find the principal for which you want to add the IAM condition, and click
edit (Edit principal).
The Edit access pane appears.
Find the role to which you want to add the IAM condition and click + Add IAM Condition.
In the Add condition pane, provide the following information:
Title: Enter a name for the condition that you're adding to the role.
Description: (Optional) Enter a description for the condition.
You can add a condition using either the Condition builder or the Condition editor.
The Condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The Condition editor provides a text-based interface to manually enter a condition expression using CEL syntax.
For detailed instructions about how to use the Condition builder or the Condition editor, see Configure resource-based access.
Click Save to apply the condition.
For information about the supported resource attributes for Application Integration, see Resource attribute values
Click Save again from the Edit access pane to update the principal.
Resource attribute values
The following table lists the values that the resource type attribute can contain for Application Integration:
Examples of using IAM Condtions for Application Integration
Example 1: Limit access to any IntegrationVersion resource in a region
You can use the following condition expression in the Condition editor to limit access to the IntegrationVersion resource. Limiting access includes restricting create, delete, download, get, list, patch, publish, unpublish, and upload operations to the integration versions in the region.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eIdentity and Access Management (IAM) Conditions enable conditional, attribute-based access control for Application Integration resources within Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eIAM Conditions in Application Integration support date/time attributes for temporary access and resource attributes to define access based on resource names, types, or services.\u003c/p\u003e\n"],["\u003cp\u003eTo add an IAM condition, navigate to the IAM page in the Google Cloud console, select the desired principal, and use the Condition builder or editor to define the access criteria.\u003c/p\u003e\n"],["\u003cp\u003eResource attribute values available for Application Integration include Location, Integration, IntegrationVersion, Execution, Suspension, and AuthConfig.\u003c/p\u003e\n"],["\u003cp\u003eIAM conditions can be used to restrict or grant access to integration resources, such as limiting access to IntegrationVersions within a specific region.\u003c/p\u003e\n"]]],[],null,["# Add IAM conditions\n\nSee the [supported connectors](/integration-connectors/docs/connector-reference-overview) for Application Integration.\n\nAdd IAM conditions\n==================\n\n\nIdentity and Access Management (IAM) Conditions lets you to define and enforce conditional, attribute-based access control for Google Cloud resources, including Application Integration resources. For more information about IAM Conditions, see [Overview of IAM Conditions](/iam/docs/conditions-overview).\n\nIn Application Integration, you can enforce conditional access based on the following attributes:\n\n- **Date/time attributes:** Use to set temporary (expiring), scheduled, or limited-duration access to Application Integration resources. For example, you can allow a user to access an integration until a specified date. For more information, see [Configuring temporary access](/iam/docs/configuring-temporary-access).\n- **Resource attributes** : Use to configure conditional access based on a resource name, resource type, or resource service attributes. For example, you can allow a user to manage integrations that are created in a specific region. For a list of supported values. For more information, see [Configuring resource-based access](/iam/docs/configuring-resource-based-access).\n\nAdd IAM condition\n-----------------\n\nTo add an IAM condition to a existing principal (user, group, or service account), perform the following steps:\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n \u003cbr /\u003e\n\n [Go\n to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId)\n2. Select your project, folder, or organization.\n3. From the list of principals, find the principal for which you want to add the IAM condition, and click edit (**Edit principal** ).\n\n The **Edit access** pane appears.\n4. Find the role to which you want to add the IAM condition and click **+ Add IAM Condition**.\n5. In the **Add condition** pane, provide the following information:\n 1. **Title:** Enter a name for the condition that you're adding to the role.\n 2. **Description:** (Optional) Enter a description for the condition.\n 3. You can add a condition using either the **Condition builder** or the **Condition editor** .\n\n The **Condition builder** provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The **Condition editor** provides a text-based interface to manually enter a condition expression using [CEL](/iam/docs/conditions-overview#cel) syntax.\n\n For detailed instructions about how to use the **Condition builder** or the **Condition editor** , see [Configure resource-based access](/iam/docs/configuring-resource-based-access).\n 4. Click **Save** to apply the condition.\n 5. For information about the supported resource attributes for Application Integration, see [Resource attribute values](#values)\n6. Click **Save** again from the **Edit access** pane to update the principal.\n\n \u003cbr /\u003e\n\nResource attribute values\n-------------------------\n\nThe following table lists the values that the resource type attribute can contain for Application Integration:\n\nExamples of using IAM Condtions for Application Integration\n-----------------------------------------------------------\n\n#### Example 1: Limit access to any IntegrationVersion resource in a region\n\nYou can use the following condition expression in the **Condition editor** to limit access to the [IntegrationVersion](/application-integration/docs/reference/rest/v1/projects.locations.integrations.versions) resource. Limiting access includes restricting `create`, `delete`, `download`, `get`, `list`, `patch`, `publish`, `unpublish`, and `upload` operations to the integration versions in the region. \n\n```html\n(resource.name.startsWith(\"projects/PROJECT_ID/locations/LOCATION/integrations/INTEGRATION_NAME\")) ||\nresource.type == \"integrations.googleapis.com/Location\" ||resource.type == \"cloudresourcemanager.googleapis.com/Project\"\n```\n\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of your Google Cloud project.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The integration location. See [Application Integration locations](/application-integration/docs/locations).\n- \u003cvar translate=\"no\"\u003eINTEGRATION_NAME\u003c/var\u003e: Name of the integration.\n\n#### Example 2: Allow access to any IntegrationVersion resource in a region\n\nYou can use the following condition expression in the **Condition editor** to allow access to the [IntegrationVersion](/application-integration/docs/reference/rest/v1/projects.locations.integrations.versions) resource: \n\n```html\nresource.name.startsWith(\"projects/PROJECT_ID/locations/LOCATION/\") ||\nresource.type == \"integrations.googleapis.com/Location\" ||\nresource.type == \"cloudresourcemanager.googleapis.com/Project\"\n```\n\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of your Google Cloud project.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The integration location. For supported locations, see [Application Integration locations](/application-integration/docs/locations)."]]
