Resource types with built-in identities

Some Google Cloud resources have built-in identities. These identities let the resources act like principals. As a result, resources with built-in identities can do the following:

Principal identifiers for single resources

The following table lists the resource types that have built-in identities. It also lists the accepted formats for the resource's principal identifier. Use one of the accepted formats for the principal identifier in your allow policies to grant roles to the resource.

Resource type Principal identifier format
Parameter Manager parameters principal://parametermanager.googleapis.com/projects/PROJECT_NUMBER/uid/locations/global/parameters/PARAMETER_UID

Principal identifiers for sets of resources

Use the following formats in your allow policies to grant roles to sets of resources with built-in identities:

Description Format
All resources for the specified service in the specified project principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/*
All resources in the specified project with the specified type principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/type/RESOURCE_TYPE/*
All resources with the specified ancestor

principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/ancestor.name/ANCESTOR_RESOURCE_TYPE/ANCESTOR_RESOURCE_NAME

principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/ancestor.uid/ANCESTOR_RESOURCE_TYPE/ANCESTOR_RESOURCE_UID

All resources with the specified type and the specified ancestor

principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/type/RESOURCE_TYPE/ancestor.name/ANCESTOR_RESOURCE_TYPE/ANCESTOR_RESOURCE_NAME

principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/type/RESOURCE_TYPE/ancestor.uid/ANCESTOR_RESOURCE_TYPE/ANCESTOR_RESOURCE_UID