Permissions that principal access boundary policies block

When principals try to access a resource that they aren't eligible to access, principal access boundary policies prevent them from using some, but not all, Identity and Access Management (IAM) permissions to access the resource.

If a principal access boundary policy blocks a permission, then IAM enforces principal access boundary policies for that permission. In other words, it prevents any principals that aren't eligible to access a resource from using that permission to access the resource.

If a principal access boundary policy doesn't block a permission, then principal access boundary policies have no effect on whether principals can use the permission.

Periodically, IAM adds new principal access boundary enforcement versions that can block additional permissions. Each new version can also block all of the permissions in the previous version.

This page lists the permissions that each enforcement version can block.

To learn more about principal access boundary policy version numbers, see the principal access boundary policy overview.

Enforcement version 3

Policies with enforcement version 3 can block all of the permissions listed in the following enforcement versions:

Additionally, policies with the enforcement version 3 can also block all of the permissions listed in the following table.

Each row contains the following information:

  • The name of a service with permissions that principal access boundary policies can block.

  • The permissions for that service that principal access boundary policies can block.

    In some cases, a section of a permission name is replaced with a wildcard character (*). This format indicates that principal access boundary policies can block all permissions that match that pattern.

Service Permissions Exceptions
Essential Contacts
  • essentialcontacts.googleapis.com/contacts.*
    		•  None
    Identity and Access Management
  • iam.googleapis.com/serviceAccounts.*
  • iam.googleapis.com/serviceAccountKeys.*
  • iam.googleapis.com/roles.*
  • iam.googleapis.com/denypolicies.*
    		•
  • iam.googleapis.com/serviceAccounts.createTagBinding
  • iam.googleapis.com/serviceAccounts.deleteTagBinding
  • iam.googleapis.com/serviceAccounts.listTagBindings
  • iam.googleapis.com/serviceAccounts.listEffectiveTags
  • iam.googleapis.com/serviceAccounts.getCertificateAs
    		•
    Dataproc
  • dataproc.googleapis.com/autoscalingPolicies.*
  • dataproc.googleapis.com/batches.*
  • dataproc.googleapis.com/operations.*
  • dataproc.googleapis.com/sessionTemplates.*
  • dataproc.googleapis.com/sessions.*
  • dataproc.googleapis.com/workflowTemplates.*
  • dataproc.googleapis.com/autoscalingPolicies.*
  • dataproc.googleapis.com/clusters.*
  • dataproc.googleapis.com/jobs.*
    		•  None
    Service Management
  • servicemanagement.googleapis.com/services.check
  • servicemanagement.googleapis.com/services.report
    		•  None
    Bigtable
  • bigtable.googleapis.com/*.*
    		•  None
    Cloud Bigtable Admin API
  • bigtableadmin.googleapis.com/*.*
    		•  None
    Cloud SQL
  • cloudsql.googleapis.com/*.*
    		•  None
    Network Services
  • networkservices.googleapis.com/endpointPolicies.*
  • networkservices.googleapis.com/gateways.*
  • networkservices.googleapis.com/grpcRoutes.*
  • networkservices.googleapis.com/httpfilters.*
  • networkservices.googleapis.com/httpRoutes.*
  • networkservices.googleapis.com/meshes.*
  • networkservices.googleapis.com/route_views.*
  • networkservices.googleapis.com/serviceBindings.*
  • networkservices.googleapis.com/tcpRoutes.*
  • networkservices.googleapis.com/tlsRoutes.*
  • networkservices.googleapis.com/serviceLbPolicies.*
    		•  None
    Cloud Service Mesh
  • trafficdirector.googleapis.com/*.*
    		•  None
    Network Management API
  • networkmanagement.googleapis.com/*.*
    		•  None
    Compute Engine
  • compute.googleapis.com/healthChecks.*
  • compute.googleapis.com/regionHealthChecks.*
  • compute.googleapis.com/httpHealthChecks.*
  • compute.googleapis.com/httpsHealthChecks.*
  • compute.googleapis.com/forwardingRules.*
  • compute.googleapis.com/globalForwardingRules.*
  • compute.googleapis.com/regionBackendServices.*
  • compute.googleapis.com/targetInstances.*
  • compute.googleapis.com/targetPools.*
  • compute.googleapis.com/firewallPolicies.*
  • compute.googleapis.com/firewalls.*
  • compute.googleapis.com/regionFirewallPolicies.*
  • compute.googleapis.com/backendBuckets.*
  • compute.googleapis.com/backendServices.*
  • compute.googleapis.com/regionSslPolicies.*
  • compute.googleapis.com/regionTargetHttpProxies.*
  • compute.googleapis.com/regionTargetTcpProxies.*
  • compute.googleapis.com/regionUrlMaps.*
  • compute.googleapis.com/sslPolicies.*
  • compute.googleapis.com/targetGrpcProxies.*
  • compute.googleapis.com/targetHttpProxies.*
  • compute.googleapis.com/targetHttpsProxies.*
  • compute.googleapis.com/targetSslProxies.*
  • compute.googleapis.com/targetTcpProxies.*
  • compute.googleapis.com/urlMaps.*
  • compute.googleapis.com/addresses.*
  • compute.googleapis.com/globalAddresses.*
  • compute.googleapis.com/networks.*
  • compute.googleapis.com/packetMirrorings.*
  • compute.googleapis.com/publicAdvertisedPrefixes.*
  • compute.googleapis.com/publicDelegatedPrefixes.*
  • compute.googleapis.com/routes.*
  • compute.googleapis.com/subnetworks.*
  • compute.googleapis.com/externalVpnGateways.*
  • compute.googleapis.com/targetVpnGateways.*
  • compute.googleapis.com/vpnGateways.*
  • compute.googleapis.com/interconnectAttachments.*
  • compute.googleapis.com/interconnectLocations.*
  • compute.googleapis.com/interconnectRemoteLocations.*
  • compute.googleapis.com/interconnects.*
    		•  None
    Artifact Registry
  • artifactregistry.googleapis.com/*.*
    		•  None
    Pub/Sub
  • pubsub.googleapis.com/*.*
    		•  None
    Workflows
  • workflows.googleapis.com/*.*
    		•  None
    Google Distributed Cloud
  • gkeonprem.googleapis.com/*.*
    		•  None
    API Keys

  • apikeys.googleapis.com/apikeys.*

  • apikeys.googleapis.com/keys.*
    		•  None
    Cloud DNS
  • dns.googleapis.com/*.*
    		•  None
    Datastore
  • datastore.googleapis.com/backupSchedules.*
  • datastore.googleapis.com/databases.*
  • datastore.googleapis.com/indexes.*
  • datastore.googleapis.com/entities.*
  • datastore.googleapis.com/operations.*
  • datastore.googleapis.com/userCreds.*
  • datastore.googleapis.com/backups.get
  • datastore.googleapis.com/backups.list
  • datastore.googleapis.com/backups.delete
  • datastore.googleapis.com/locations.*
    		•  None
    Cloud Key Management Service
  • cloudkms.googleapis.com/ekmConfigs.*
  • cloudkms.googleapis.com/keyRings.*
  • cloudkms.googleapis.com/importJobs.*
  • cloudkms.googleapis.com/cryptoKeyVersions.create
  • cloudkms.googleapis.com/cryptoKeyVersions.get
  • cloudkms.googleapis.com/cryptoKeyVersions.list
  • cloudkms.googleapis.com/cryptoKeyVersions.update
  • cloudkms.googleapis.com/cryptoKeyVersions.restore
  • cloudkms.googleapis.com/cryptoKeyVersions.useToEncrypt
  • cloudkms.googleapis.com/cryptoKeyVersions.useToDecrypt
  • cloudkms.googleapis.com/cryptoKeyVersions.useToSign
  • cloudkms.googleapis.com/cryptoKeyVersions.useToVerify
  • cloudkms.googleapis.com/cryptoKeyVersions.viewPublicKey
  • cloudkms.googleapis.com/cryptoKeyVersions.destroy
  • cloudkms.googleapis.com/keyHandles.*
  • cloudkms.googleapis.com/autokeyConfigs.*
    		•
  • cloudkms.googleapis.com/importJobs.useToImport
    		•
    Organization Policy Service
  • orgpolicy.googleapis.com/*.*
    		•  None
    Dataplex
  • dataplex.googleapis.com/aspectTypes.*
  • dataplex.googleapis.com/datascans.*
  • dataplex.googleapis.com/entries.*
  • dataplex.googleapis.com/entryTypes.*
  • dataplex.googleapis.com/metadataJobs.*
  • dataplex.googleapis.com/entryGroups.import
  • dataplex.googleapis.com/entryGroups.getIamPolicy
  • dataplex.googleapis.com/entryGroups.setIamPolicy
  • dataplex.googleapis.com/entryGroups.create
  • dataplex.googleapis.com/entryGroups.get
  • dataplex.googleapis.com/entryGroups.update
  • dataplex.googleapis.com/entryGroups.delete
  • dataplex.googleapis.com/entryGroups.list
  • dataplex.googleapis.com/entryGroups.useGenericAspect
  • dataplex.googleapis.com/entryGroups.useContactsAspect
  • dataplex.googleapis.com/entryGroups.useOverviewAspect
  • dataplex.googleapis.com/entryGroups.useSchemaAspect
  • dataplex.googleapis.com/entryGroups.useGenericEntry
    		•  None
    Data Lineage API
  • datalineage.googleapis.com/locations.*
  • datalineage.googleapis.com/operations.*
  • datalineage.googleapis.com/processes.*
  • datalineage.googleapis.com/runs.*
  • datalineage.googleapis.com/events.*
    		•  None
    GKE Hub
  • gkehub.googleapis.com/fleets.*
    		•  None
    Cloud Run functions
  • cloudfunctions.googleapis.com/*.*
    		•  None
    Spanner
  • spanner.googleapis.com/*.*
    		•  None
    Google Kubernetes Engine
  • container.googleapis.com/*.*
    		•  None

    Enforcement version 2

    Policies with enforcement version 2 can block all of the permissions listed in Enforcement version 1. Additionally, policies with the enforcement version 2 can also block all of the permissions listed in the following table.

    Each row contains the following information:

    • The name of a service with permissions that principal access boundary policies can block.

    • The permissions for that service that principal access boundary policies can block.

      In some cases, a section of a permission name is replaced with a wildcard character (*). This format indicates that principal access boundary policies can block all permissions that match that pattern.

    Service Permissions Exceptions
    Access Context Manager
    • accesscontextmanager.googleapis.com/*
    		 None
    Artifact Analysis
    • containeranalysis.googleapis.com/*
    		 None
    BigQuery
    • bigquery.googleapis.com/datasets.*
    • bigquery.googleapis.com/jobs.*
    • bigquery.googleapis.com/models.*
    • bigquery.googleapis.com/routines.*
    • bigquery.googleapis.com/rowAccessPolicies.*
    • bigquery.googleapis.com/tables.*
    		 None
    BigQuery Data Policy
    • bigquerydatapolicy.googleapis.com/*
    		 None
    BigQuery Data Transfer Service
    • bigquerydatatransfer.googleapis.com/transfers.*
    		 None
    Chrome Enterprise Premium
    • beyondcorp.googleapis.com/*
    		 None
    Cloud Asset Inventory
    • cloudasset.googleapis.com/*
    		 None
    Cloud Billing
    • billing.googleapis.com/budgets.*
    		 None
    Cloud Build
    • cloudbuild.googleapis.com/*
    		 None
    Cloud Monitoring
    • monitoring.googleapis.com/*
    • monitoring.googleapis.com/timeSeries.list
    • monitoring.googleapis.com/metricsScopes.link
    Cloud Service Mesh
    • meshconfig.googleapis.com/*
    		 None
    Cloud Storage
    • storage.googleapis.com/bucketOperations.*
    • storage.googleapis.com/buckets.*
    • storage.googleapis.com/folders.*
    • storage.googleapis.com/hmacKeys.*
    • storage.googleapis.com/managedFolders.*
    • storage.googleapis.com/multipartUploads.*
    • storage.googleapis.com/objects.*
    		 None
    Cloud Trace
    • cloudtrace.googleapis.com/*
    		 None
    Compute Engine
    • compute.googleapis.com/networkAttachments.*
    • compute.googleapis.com/networkEdgeSecurityServices.*
    • compute.googleapis.com/regionSecurityPolicies.*
    • compute.googleapis.com/routers.*
    • compute.googleapis.com/serviceAttachments.*
    • compute.googleapis.com/securityPolicies.*
    		 None
    Firebase Rules
    • firebaserules.googleapis.com/*
    		 None
    GKE Multi-Cloud
    • gkemulticloud.googleapis.com/*
    		 None
    Identity-Aware Proxy
    • iap.googleapis.com/*
    		 None
    Memorystore for Redis
    • redis.googleapis.com/*
    		 None
    Network Management API
    • networkmanagement.googleapis.com/*
    		 None
    Network Services API
    • networkservices.googleapis.com/edgeCacheOrigins.*
    • networkservices.googleapis.com/edgeCacheKeysets.*
    • networkservices.googleapis.com/edgeCacheServices.*
    		 None
    reCAPTCHA
    • recaptchaenterprise.googleapis.com/*
    		 None
    Resource Manager
    • cloudresourcemanager.googleapis.com/*
    • cloudresourcemanager.googleapis.com/*.createPolicyBinding
    • cloudresourcemanager.googleapis.com/*.updatePolicyBinding
    • cloudresourcemanager.googleapis.com/*.deletePolicyBinding
    • cloudresourcemanager.googleapis.com/*.searchPolicyBindings
    Video Stitcher API
    • videostitcher.googleapis.com/*
    		 None

    Enforcement version 1

    The following table lists the permissions that principal access boundary policies with enforcement version 1 can block.

    Each row contains the following information:

    • The name of a service with permissions that principal access boundary policies can block.

    • The permissions for that service that principal access boundary policies can block.

      In some cases, a section of a permission name is replaced with a wildcard character (*). This format indicates that principal access boundary policies can block all permissions that match that pattern.

    • The permissions for the service that principal access boundary can't block, even if those permissions match one of the supported permission patterns.

    Service Permissions Exceptions
    Access Approval
    • accessapproval.googleapis.com/serviceaccounts.get
    • accessapproval.googleapis.com/settings.*
    • accessapproval.googleapis.com/requests.list
    		 None
    Access Context Manager
    • accesscontextmanager.googleapis.com/*
    • accesscontextmanager.googleapis.com/gcpUserAccessBindings.*
    BigQuery
    • bigquery.googleapis.com/datasets.create
    • bigquery.googleapis.com/datasets.delete
    • bigquery.googleapis.com/datasets.get
    • bigquery.googleapis.com/datasets.update
    • bigquery.googleapis.com/datasets.setIamPolicy
    • bigquery.googleapis.com/jobs.get
    • bigquery.googleapis.com/jobs.create
    • bigquery.googleapis.com/jobs.delete
    • bigquery.googleapis.com/jobs.list
    • bigquery.googleapis.com/models.create
    • bigquery.googleapis.com/models.delete
    • bigquery.googleapis.com/models.list
    • bigquery.googleapis.com/models.updateMetadata
    • bigquery.googleapis.com/routines.create
    • bigquery.googleapis.com/routines.delete
    • bigquery.googleapis.com/routines.list
    • bigquery.googleapis.com/routines.update
    		 None
    Binary Authorization
    • binaryauthorization.googleapis.com/*
    		 None
    Cloud Logging
    • logging.googleapis.com/logEntries.create
    • logging.googleapis.com/logMetrics.*
    		 None
    Cloud Run
    • run.googleapis.com/authorizeddomains.*
    • run.googleapis.com/configurations.get
    • run.googleapis.com/configurations.list
    • run.googleapis.com/domainmappings.*
    • run.googleapis.com/executions.*
    • run.googleapis.com/jobs.create
    • run.googleapis.com/jobs.delete
    • run.googleapis.com/jobs.get
    • run.googleapis.com/jobs.list
    • run.googleapis.com/jobs.run
    • run.googleapis.com/revisions.*
    • run.googleapis.com/routes.get
    • run.googleapis.com/routes.list
    • run.googleapis.com/services.create
    • run.googleapis.com/services.delete
    • run.googleapis.com/services.get
    • run.googleapis.com/services.list
    • run.googleapis.com/services.update
    • run.googleapis.com/tasks.*
    		 None
    Cloud Storage
    • storage.googleapis.com/buckets.get
    • storage.googleapis.com/buckets.update
    • storage.googleapis.com/buckets.list
    • storage.googleapis.com/buckets.getIamPolicy
    • storage.googleapis.com/buckets.setIamPolicy
    • storage.googleapis.com/hmacKeys.update
    • storage.googleapis.com/objects.get
    • storage.googleapis.com/objects.setRetention
    • storage.googleapis.com/objects.delete
    		 None
    Dataflow
    • dataflow.googleapis.com/jobs.*
    • dataflow.googleapis.com/metrics.get
    • dataflow.googleapis.com/workItems.*
    • dataflow.googleapis.com/messages.list
    • dataflow.googleapis.com/snapshots.list
    • dataflow.googleapis.com/jobs.snapshot
    Datastore
    • datastore.googleapis.com/databases.get
    • datastore.googleapis.com/databases.getMetadata
    • datastore.googleapis.com/databases.create
    • datastore.googleapis.com/databases.delete
    • datastore.googleapis.com/databases.list
    		 None
    Firebase Security Rules
    • firebaserules.googleapis.com/*
    		 None
    GKE Hub
    • gkehub.googleapis.com/features.*
    • gkehub.googleapis.com/fleet.create
    • gkehub.googleapis.com/fleet.get
    • gkehub.googleapis.com/fleet.patch
    • gkehub.googleapis.com/locations.*
    • gkehub.googleapis.com/membershipbindings.*
    • gkehub.googleapis.com/memberships.*
    • gkehub.googleapis.com/rbacrolebindings.*
    • gkehub.googleapis.com/scopes.*
    • gkehub.googleapis.com/*.createTagBinding
    • gkehub.googleapis.com/*.deleteTagBinding
    • gkehub.googleapis.com/*.listEffectiveTags
    • gkehub.googleapis.com/*.listTagBindings
    Pub/Sub
    • pubsub.googleapis.com/*
    • pubsub.googleapis.com/schemas.delete
    • pubsub.googleapis.com/schemas.validate
    • pubsub.googleapis.com/subscriptions.consume
    • pubsub.googleapis.com/*.getIamPolicy
    • pubsub.googleapis.com/*.setIamPolicy
    Memorystore for Redis
    • redis.googleapis.com/instances.create
    • redis.googleapis.com/instances.delete
    • redis.googleapis.com/instances.get
    • redis.googleapis.com/instances.failover
    • redis.googleapis.com/instances.getAuthString
    • redis.googleapis.com/instances.list
    • redis.googleapis.com/instances.upgrade
    • redis.googleapis.com/instances.update
    		 None
    Vertex AI
    • aiplatform.googleapis.com/*
    • aiplatform.googleapis.com/operations.*