When principals try to access a resource that they aren't eligible to access,
principal access boundary policies prevent them from using some, but not all,
Identity and Access Management (IAM) permissions to access the resource.
If a principal access boundary policy blocks a permission, then IAM
enforces principal access boundary policies for that permission. In other words, it
prevents any principals that aren't eligible to access a resource from using
that permission to access the resource.
If a principal access boundary policy doesn't block a permission, then
principal access boundary policies have no effect on whether principals can use the
permission.
Periodically, IAM adds new principal access boundary enforcement
versions that can block additional permissions. Each new version can also block
all of the permissions in the previous version.
This page lists the permissions that each enforcement version can block.
To learn more about principal access boundary policy version numbers, see the
principal access boundary policy overview.
Enforcement version 2
Policies with enforcement version 2 can block all of the permissions listed in
Enforcement version 1. Additionally, policies with the enforcement
version 2 can also block all of the permissions listed in the following table.
Each row contains the following information:
- The name of a service with permissions that principal access boundary policies can
block.
The permissions for that service that principal access boundary policies can block.
In some cases, a section of a permission name is replaced with a wildcard
character (*). This format indicates that principal access boundary policies can
block all permissions that match that pattern.
| Service |
Permissions |
Exceptions |
| Access Context Manager |
accesscontextmanager.googleapis.com/*
|
None |
| Artifact Analysis |
containeranalysis.googleapis.com/*
|
None |
| BigQuery |
bigquery.googleapis.com/datasets.*bigquery.googleapis.com/jobs.*bigquery.googleapis.com/models.*bigquery.googleapis.com/routines.*bigquery.googleapis.com/rowAccessPolicies.*bigquery.googleapis.com/tables.*
|
None |
| BigQuery Data Policy |
bigquerydatapolicy.googleapis.com/*
|
None |
| BigQuery Data Transfer Service |
bigquerydatatransfer.googleapis.com/transfers.*
|
None |
| Chrome Enterprise Premium |
beyondcorp.googleapis.com/*
|
None |
| Cloud Asset Inventory |
cloudasset.googleapis.com/*
|
None |
| Cloud Billing |
billing.googleapis.com/budgets.*
|
None |
| Cloud Build |
cloudbuild.googleapis.com/*
|
None |
| Cloud Monitoring |
monitoring.googleapis.com/*
|
monitoring.googleapis.com/timeSeries.listmonitoring.googleapis.com/metricsScopes.link
|
| Cloud Service Mesh |
meshconfig.googleapis.com/*
|
None |
| Cloud Storage |
storage.googleapis.com/bucketOperations.*storage.googleapis.com/buckets.*storage.googleapis.com/folders.*storage.googleapis.com/hmacKeys.*storage.googleapis.com/managedFolders.*storage.googleapis.com/multipartUploads.*storage.googleapis.com/objects.*
|
None |
| Cloud Trace |
cloudtrace.googleapis.com/*
|
None |
| Compute Engine |
compute.googleapis.com/networkAttachments.*compute.googleapis.com/networkEdgeSecurityServices.*compute.googleapis.com/regionSecurityPolicies.*compute.googleapis.com/routers.*compute.googleapis.com/serviceAttachments.*compute.googleapis.com/securityPolicies.*
|
None |
| Firebase Rules |
firebaserules.googleapis.com/*
|
None |
| GKE Multi-Cloud |
gkemulticloud.googleapis.com/*
|
None |
| Identity-Aware Proxy |
|
None |
| Memorystore for Redis |
|
None |
| Network Management API |
networkmanagement.googleapis.com/*
|
None |
| Network Services API |
networkservices.googleapis.com/edgeCacheOrigins.*networkservices.googleapis.com/edgeCacheKeysets.*networkservices.googleapis.com/edgeCacheServices.*
|
None |
| reCAPTCHA |
recaptchaenterprise.googleapis.com/*
|
None |
| Resource Manager |
cloudresourcemanager.googleapis.com/*
|
cloudresourcemanager.googleapis.com/*.createPolicyBindingcloudresourcemanager.googleapis.com/*.updatePolicyBindingcloudresourcemanager.googleapis.com/*.deletePolicyBindingcloudresourcemanager.googleapis.com/*.searchPolicyBindings
|
| Video Stitcher API |
videostitcher.googleapis.com/*
|
None |
Enforcement version 1
The following table lists the permissions that principal access boundary policies
with enforcement version 1 can block.
Each row contains the following information:
- The name of a service with permissions that principal access boundary policies can
block.
The permissions for that service that principal access boundary policies can block.
In some cases, a section of a permission name is replaced with a wildcard
character (*). This format indicates that principal access boundary policies can
block all permissions that match that pattern.
The permissions for the service that principal access boundary can't block, even if
those permissions match one of the supported permission patterns.
| Service |
Permissions |
Exceptions |
| Access Approval |
accessapproval.googleapis.com/serviceaccounts.getaccessapproval.googleapis.com/settings.*accessapproval.googleapis.com/requests.list
|
None
|
| Access Context Manager |
accesscontextmanager.googleapis.com/*
|
accesscontextmanager.googleapis.com/gcpUserAccessBindings.*
|
| BigQuery |
bigquery.googleapis.com/datasets.createbigquery.googleapis.com/datasets.deletebigquery.googleapis.com/datasets.getbigquery.googleapis.com/datasets.updatebigquery.googleapis.com/datasets.setIamPolicybigquery.googleapis.com/jobs.getbigquery.googleapis.com/jobs.createbigquery.googleapis.com/jobs.deletebigquery.googleapis.com/jobs.listbigquery.googleapis.com/models.createbigquery.googleapis.com/models.deletebigquery.googleapis.com/models.listbigquery.googleapis.com/models.updateMetadatabigquery.googleapis.com/routines.createbigquery.googleapis.com/routines.deletebigquery.googleapis.com/routines.listbigquery.googleapis.com/routines.update
|
None |
| Binary Authorization |
binaryauthorization.googleapis.com/*
|
None |
| Cloud Logging |
logging.googleapis.com/logEntries.createlogging.googleapis.com/logMetrics.*
|
None |
| Cloud Run |
run.googleapis.com/authorizeddomains.*run.googleapis.com/configurations.getrun.googleapis.com/configurations.listrun.googleapis.com/domainmappings.*run.googleapis.com/executions.*run.googleapis.com/jobs.createrun.googleapis.com/jobs.deleterun.googleapis.com/jobs.getrun.googleapis.com/jobs.listrun.googleapis.com/jobs.runrun.googleapis.com/revisions.*run.googleapis.com/routes.getrun.googleapis.com/routes.listrun.googleapis.com/services.createrun.googleapis.com/services.deleterun.googleapis.com/services.getrun.googleapis.com/services.listrun.googleapis.com/services.updaterun.googleapis.com/tasks.*
|
None |
| Cloud Storage |
storage.googleapis.com/buckets.getstorage.googleapis.com/buckets.updatestorage.googleapis.com/buckets.liststorage.googleapis.com/buckets.getIamPolicystorage.googleapis.com/buckets.setIamPolicystorage.googleapis.com/hmacKeys.updatestorage.googleapis.com/objects.getstorage.googleapis.com/objects.setRetentionstorage.googleapis.com/objects.delete
|
None |
| Dataflow |
dataflow.googleapis.com/jobs.*dataflow.googleapis.com/metrics.getdataflow.googleapis.com/workItems.*dataflow.googleapis.com/messages.listdataflow.googleapis.com/snapshots.list
|
dataflow.googleapis.com/jobs.snapshot
|
| Datastore |
datastore.googleapis.com/databases.getdatastore.googleapis.com/databases.getMetadatadatastore.googleapis.com/databases.createdatastore.googleapis.com/databases.deletedatastore.googleapis.com/databases.list
|
None |
| Firebase Security Rules |
firebaserules.googleapis.com/*
|
None |
| GKE Hub |
gkehub.googleapis.com/features.*gkehub.googleapis.com/fleet.creategkehub.googleapis.com/fleet.getgkehub.googleapis.com/fleet.patchgkehub.googleapis.com/locations.*gkehub.googleapis.com/membershipbindings.*gkehub.googleapis.com/memberships.*gkehub.googleapis.com/rbacrolebindings.*gkehub.googleapis.com/scopes.*
|
gkehub.googleapis.com/*.createTagBindinggkehub.googleapis.com/*.deleteTagBindinggkehub.googleapis.com/*.listEffectiveTagsgkehub.googleapis.com/*.listTagBindings
|
| Pub/Sub |
|
pubsub.googleapis.com/schemas.deletepubsub.googleapis.com/schemas.validatepubsub.googleapis.com/subscriptions.consumepubsub.googleapis.com/*.getIamPolicypubsub.googleapis.com/*.setIamPolicy
|
| Memorystore for Redis |
redis.googleapis.com/instances.createredis.googleapis.com/instances.deleteredis.googleapis.com/instances.getredis.googleapis.com/instances.failoverredis.googleapis.com/instances.getAuthStringredis.googleapis.com/instances.listredis.googleapis.com/instances.upgraderedis.googleapis.com/instances.update
|
None |
| Vertex AI |
aiplatform.googleapis.com/*
|
aiplatform.googleapis.com/operations.*
|
