Permissions that principal access boundary policies block

When principals try to access a resource that they aren't eligible to access, principal access boundary policies prevent them from using some, but not all, Identity and Access Management (IAM) permissions to access the resource.

If a principal access boundary policy blocks a permission, then IAM enforces principal access boundary policies for that permission. In other words, it prevents any principals that aren't eligible to access a resource from using that permission to access the resource.

If a principal access boundary policy doesn't block a permission, then principal access boundary policies have no effect on whether principals can use the permission.

Periodically, IAM adds new principal access boundary enforcement versions that can block additional permissions. Each new version can also block all of the permissions in the previous version.

This page lists the permissions that each enforcement version can block.

To learn more about principal access boundary policy version numbers, see the principal access boundary policy overview.

Enforcement version 1

The following table lists the permissions that principal access boundary policies with enforcement version 1 can block.

Each row contains the following information:

  • The name of a service with permissions that principal access boundary policies can block.

  • The permissions for that service that principal access boundary policies can block.

    In some cases, a section of a permission name is replaced with a wildcard character (*). This format indicates that principal access boundary policies can block all permissions that match that pattern.

  • The permissions for the service that principal access boundary can't block, even if those permissions match one of the supported permission patterns.

Service Permissions Exceptions
Access Approval
  • accessapproval.googleapis.com/serviceaccounts.get
  • accessapproval.googleapis.com/settings.*
  • accessapproval.googleapis.com/requests.list
 None
Access Context Manager
  • accesscontextmanager.googleapis.com/*
  • accesscontextmanager.googleapis.com/gcpUserAccessBindings.*
Vertex AI
  • aiplatform.googleapis.com/*
  • aiplatform.googleapis.com/operations.*
BigQuery
  • bigquery.googleapis.com/datasets.create
  • bigquery.googleapis.com/datasets.delete
  • bigquery.googleapis.com/datasets.get
  • bigquery.googleapis.com/datasets.update
  • bigquery.googleapis.com/datasets.setIamPolicy
  • bigquery.googleapis.com/jobs.get
  • bigquery.googleapis.com/jobs.create
  • bigquery.googleapis.com/jobs.delete
  • bigquery.googleapis.com/jobs.list
  • bigquery.googleapis.com/models.create
  • bigquery.googleapis.com/models.delete
  • bigquery.googleapis.com/models.list
  • bigquery.googleapis.com/models.updateMetadata
  • bigquery.googleapis.com/routines.create
  • bigquery.googleapis.com/routines.delete
  • bigquery.googleapis.com/routines.list
  • bigquery.googleapis.com/routines.update
 None
Binary Authorization
  • binaryauthorization.googleapis.com/*
 None
Dataflow
  • dataflow.googleapis.com/jobs.*
  • dataflow.googleapis.com/metrics.get
  • dataflow.googleapis.com/workItems.*
  • dataflow.googleapis.com/messages.list
  • dataflow.googleapis.com/snapshots.list
  • dataflow.googleapis.com/jobs.snapshot
Datastore
  • datastore.googleapis.com/databases.get
  • datastore.googleapis.com/databases.getMetadata
  • datastore.googleapis.com/databases.create
  • datastore.googleapis.com/databases.delete
  • datastore.googleapis.com/databases.list
 None
Firebase Security Rules
  • firebaserules.googleapis.com/*
 None
GKE Hub
  • gkehub.googleapis.com/features.*
  • gkehub.googleapis.com/fleet.create
  • gkehub.googleapis.com/fleet.get
  • gkehub.googleapis.com/fleet.patch
  • gkehub.googleapis.com/locations.*
  • gkehub.googleapis.com/membershipbindings.*
  • gkehub.googleapis.com/memberships.*
  • gkehub.googleapis.com/rbacrolebindings.*
  • gkehub.googleapis.com/scopes.*
  • Permissions ending in createTagBinding
  • Permissions ending in deleteTagBinding
  • Permissions ending in listEffectiveTags
  • Permissions ending in listTagBindings
Cloud Logging
  • logging.googleapis.com/logEntries.create
  • logging.googleapis.com/logMetrics.*
 None
Pub/Sub
  • pubsub.googleapis.com/*
  • pubsub.googleapis.com/schemas.delete
  • pubsub.googleapis.com/schemas.validate
  • pubsub.googleapis.com/subscriptions.consume
  • Permissions ending in getIamPolicy
  • Permissions ending in setIamPolicy
Memorystore for Redis
  • redis.googleapis.com/instances.create
  • redis.googleapis.com/instances.delete
  • redis.googleapis.com/instances.get
  • redis.googleapis.com/instances.failover
  • redis.googleapis.com/instances.getAuthString
  • redis.googleapis.com/instances.list
  • redis.googleapis.com/instances.upgrade
  • redis.googleapis.com/instances.update
 None
Cloud Run
  • run.googleapis.com/authorizeddomains.*
  • run.googleapis.com/configurations.get
  • run.googleapis.com/configurations.list
  • run.googleapis.com/domainmappings.*
  • run.googleapis.com/executions.*
  • run.googleapis.com/jobs.create
  • run.googleapis.com/jobs.delete
  • run.googleapis.com/jobs.get
  • run.googleapis.com/jobs.list
  • run.googleapis.com/jobs.run
  • run.googleapis.com/revisions.*
  • run.googleapis.com/routes.get
  • run.googleapis.com/routes.list
  • run.googleapis.com/services.create
  • run.googleapis.com/services.delete
  • run.googleapis.com/services.get
  • run.googleapis.com/services.list
  • run.googleapis.com/services.update
  • run.googleapis.com/tasks.*
 None
Cloud Storage
  • storage.googleapis.com/buckets.get
  • storage.googleapis.com/buckets.update
  • storage.googleapis.com/buckets.list
  • storage.googleapis.com/buckets.getIamPolicy
  • storage.googleapis.com/buckets.setIamPolicy
  • storage.googleapis.com/hmacKeys.update
  • storage.googleapis.com/objects.get
  • storage.googleapis.com/objects.setRetention
  • storage.googleapis.com/objects.delete
 None