Custom constraint supported services

Custom organization policies allow administrators to define their own restrictions on Google Cloud services. For more information about custom constraints, see the Custom organization policy overview.

Each service defines the set of custom constraint fields that can be used to enforce organization policies on their service resources. See the list of supported service resources to learn which Google Cloud services support custom constraints. To learn how to create custom constraints, see Creating and managing custom constraints.

For a list of sample custom constraints, see the custom organization policy library on GitHub.

Supported service resources

Resources associated with the following services can be subjected to custom constraints. Not all resource attributes are available for these resources. See the service-specific documentation to find the resources and attributes that are available for use.

Google Cloud service	Resource type	Launch status
Access Context Manager	`accesscontextmanager.googleapis.com/AccessLevel`	GA
	`accesscontextmanager.googleapis.com/AccessPolicy`	GA
	`accesscontextmanager.googleapis.com/AuthorizedOrgsDesc`	GA
	`accesscontextmanager.googleapis.com/ServicePerimeter`	GA
AI Platform Training	`aiplatform.googleapis.com/CustomJob`	GA
	`aiplatform.googleapis.com/HyperparameterTuningJob`	GA
	`aiplatform.googleapis.com/NasJob`	GA
AlloyDB for PostgreSQL	`alloydb.googleapis.com/Backup`	Preview
	`alloydb.googleapis.com/Cluster`	Preview
	`alloydb.googleapis.com/Instance`	Preview
BigQuery sharing	`analyticshub.googleapis.com/DataExchange`	Preview
BigQuery sharing	`analyticshub.googleapis.com/Listing`	Preview
API keys	`apikeys.googleapis.com/Key`	GA
Artifact Registry	`artifactregistry.googleapis.com/Repository`	GA
Google Cloud Armor	`compute.googleapis.com/NetworkEdgeSecurityService`	GA
Google Cloud Armor	`compute.googleapis.com/SecurityPolicy`	GA
Backup for GKE	`gkebackup.googleapis.com/Backup`	GA
	`gkebackup.googleapis.com/BackupPlan`	GA
	`gkebackup.googleapis.com/Restore`	GA
	`gkebackup.googleapis.com/RestorePlan`	GA
BigQuery	`bigquery.googleapis.com/Dataset`	Preview
Cloud Bigtable Admin API	`bigtableadmin.googleapis.com/AppProfile`	GA
	`bigtableadmin.googleapis.com/Backup`	GA
	`bigtableadmin.googleapis.com/Cluster`	GA
	`bigtableadmin.googleapis.com/Instance`	GA
	`bigtableadmin.googleapis.com/Table`	GA
Binary Authorization	`binaryauthorization.googleapis.com/Attestor`	GA
Binary Authorization	`binaryauthorization.googleapis.com/Policy`	GA
BigQuery Data Transfer Service	`bigquerydatatransfer.googleapis.com/TransferConfig`	GA
Cloud Build	`cloudbuild.googleapis.com/BitbucketServerConfig`	GA
	`cloudbuild.googleapis.com/BuildTrigger`	GA
	`cloudbuild.googleapis.com/Connection`	GA
	`cloudbuild.googleapis.com/GithubEnterpriseConfig`	GA
	`cloudbuild.googleapis.com/Repository`	GA
	`cloudbuild.googleapis.com/WorkerPool`	GA
Certificate Authority Service	`privateca.googleapis.com/CaPool`	GA
	`privateca.googleapis.com/CertificateAuthority`	GA
	`privateca.googleapis.com/CertificateTemplate`	GA
Google Cloud Contact Center as a Service	`contactcenteraiplatform.googleapis.com/ContactCenter`	Preview
Certificate Manager	`certificatemanager.googleapis.com/Certificate`	GA
	`certificatemanager.googleapis.com/CertificateIssuanceConfig`	GA
	`certificatemanager.googleapis.com/CertificateMap`	GA
	`certificatemanager.googleapis.com/CertificateMapEntry`	GA
	`certificatemanager.googleapis.com/DnsAuthorization`	GA
	`certificatemanager.googleapis.com/TrustConfig`	GA
Identity Platform	`identitytoolkit.googleapis.com/Config`	GA
	`identitytoolkit.googleapis.com/DefaultSupportedIdpConfig`	GA
	`identitytoolkit.googleapis.com/InboundSamlConfig`	GA
	`identitytoolkit.googleapis.com/OauthIdpConfig`	GA
	`identitytoolkit.googleapis.com/Tenant`	GA
Cloud Quotas	`cloudquotas.googleapis.com/QuotaPreference`	Preview
Cloud Run functions	`cloudfunctions.googleapis.com/Function`	GA
Cloud Run	`run.googleapis.com/Job`	GA
Cloud Run	`run.googleapis.com/Service`	GA
Colab Enterprise	`aiplatform.googleapis.com/NotebookExecutionJob`	Preview
	`aiplatform.googleapis.com/NotebookRuntime`	GA
	`aiplatform.googleapis.com/NotebookRuntimeTemplate`	GA
Cloud Composer	`composer.googleapis.com/Environment`	GA
Compute Engine	`compute.googleapis.com/Disk`	GA
	`compute.googleapis.com/Image`	GA
	`compute.googleapis.com/Instance`	GA
	`compute.googleapis.com/PreviewFeature`	GA
Resource Manager	`cloudresourcemanager.googleapis.com/Folder`	Preview
Resource Manager	`cloudresourcemanager.googleapis.com/Project`	Preview
Cloud Data Fusion	`datafusion.googleapis.com/DnsPeering`	GA
Cloud Data Fusion	`datafusion.googleapis.com/Instance`	GA
Data Lineage API	`datalineage.googleapis.com/Process`	GA
Dataflow	`dataflow.googleapis.com/Job`	GA
Dataform	`dataform.googleapis.com/Repository`	GA
Dataplex Universal Catalog	`dataplex.googleapis.com/AspectType`	GA
	`dataplex.googleapis.com/DataScan`	GA
	`dataplex.googleapis.com/EntryGroup`	GA
	`dataplex.googleapis.com/EntryType`	GA
	`dataplex.googleapis.com/MetadataJob`	GA
Dataproc Metastore	`metastore.googleapis.com/Backup`	GA
	`metastore.googleapis.com/MetadataImport`	GA
	`metastore.googleapis.com/Service`	GA
Dataproc	`dataproc.googleapis.com/Cluster`	GA
Google Cloud Serverless for Apache Spark	`dataproc.googleapis.com/Batch`	GA
	`dataproc.googleapis.com/Session`	GA
	`dataproc.googleapis.com/SessionTemplate`	Preview
Datastream	`datastream.googleapis.com/ConnectionProfile`	GA
	`datastream.googleapis.com/PrivateConnection`	GA
	`datastream.googleapis.com/Stream`	GA
Cloud Deploy	`clouddeploy.googleapis.com/Automation`	GA
	`clouddeploy.googleapis.com/CustomTargetType`	GA
	`clouddeploy.googleapis.com/DeliveryPipeline`	GA
	`clouddeploy.googleapis.com/DeployPolicy`	GA
	`clouddeploy.googleapis.com/Release`	GA
	`clouddeploy.googleapis.com/Rollout`	GA
	`clouddeploy.googleapis.com/Target`	GA
Developer Connect	`developerconnect.googleapis.com/Connection`	GA
Developer Connect	`developerconnect.googleapis.com/GitRepositoryLink`	GA
Cloud DNS	`dns.googleapis.com/ManagedZone`	GA
	`dns.googleapis.com/Policy`	GA
	`dns.googleapis.com/ResponsePolicy`	GA
	`dns.googleapis.com/ResponsePolicyRule`	GA
Essential Contacts	`essentialcontacts.googleapis.com/Contact`	GA
Eventarc	`eventarc.googleapis.com/Channel`	GA
	`eventarc.googleapis.com/ChannelConnection`	GA
	`eventarc.googleapis.com/Enrollment`	GA
	`eventarc.googleapis.com/GoogleApiSource`	GA
	`eventarc.googleapis.com/GoogleChannelConfig`	GA
	`eventarc.googleapis.com/MessageBus`	GA
	`eventarc.googleapis.com/Pipeline`	GA
	`eventarc.googleapis.com/Trigger`	GA
Filestore	`file.googleapis.com/Backup`	GA
	`file.googleapis.com/Instance`	GA
	`file.googleapis.com/Snapshot`	GA
Firestore	`firestore.googleapis.com/Database`	GA
Cloud Next Generation Firewall	`compute.googleapis.com/Firewall`	GA
Cloud Next Generation Firewall	`compute.googleapis.com/FirewallPolicy`	GA
GKE attached clusters	`gkemulticloud.googleapis.com/AttachedCluster`	GA
GKE on AWS	`gkemulticloud.googleapis.com/AwsCluster`	GA
GKE on AWS	`gkemulticloud.googleapis.com/AwsNodePool`	GA
GKE on Azure	`gkemulticloud.googleapis.com/AzureClient`	GA
	`gkemulticloud.googleapis.com/AzureCluster`	GA
	`gkemulticloud.googleapis.com/AzureNodePool`	GA
GKE	`container.googleapis.com/Cluster`	GA
GKE	`container.googleapis.com/NodePool`	GA
GKE On-Prem API	`gkeonprem.googleapis.com/BareMetalAdminCluster`	GA
	`gkeonprem.googleapis.com/BareMetalCluster`	GA
	`gkeonprem.googleapis.com/BareMetalNodePool`	GA
	`gkeonprem.googleapis.com/VmwareAdminCluster`	GA
	`gkeonprem.googleapis.com/VmwareCluster`	GA
	`gkeonprem.googleapis.com/VmwareNodePool`	GA
Cloud Healthcare API	`healthcare.googleapis.com/ConsentStore`	GA
	`healthcare.googleapis.com/Dataset`	GA
	`healthcare.googleapis.com/DicomStore`	GA
	`healthcare.googleapis.com/FhirStore`	GA
	`healthcare.googleapis.com/Hl7V2Store`	GA
Hub	`gkehub.googleapis.com/Feature`	GA
	`gkehub.googleapis.com/Fleet`	GA
	`gkehub.googleapis.com/Membership`	GA
	`gkehub.googleapis.com/MembershipBinding`	GA
	`gkehub.googleapis.com/MembershipFeature`	GA
	`gkehub.googleapis.com/Namespace`	GA
	`gkehub.googleapis.com/RBACRoleBinding`	GA
	`gkehub.googleapis.com/Scope`	GA
Identity and Access Management	`iam.googleapis.com/AllowPolicy`	GA
	`iam.googleapis.com/ServiceAccount`	GA
	`iam.googleapis.com/ServiceAccountKey`	GA
	`iam.googleapis.com/WorkloadIdentityPool`	GA
	`iam.googleapis.com/WorkloadIdentityPoolManagedIdentity`	Preview
	`iam.googleapis.com/WorkloadIdentityPoolNamespace`	Preview
	`iam.googleapis.com/WorkloadIdentityPoolProvider`	GA
	`iam.googleapis.com/WorkloadIdentityPoolProviderKey`	GA
Identity-Aware Proxy	`iap.googleapis.com/TunnelDestGroup`	GA
Infrastructure Manager	`config.googleapis.com/Deployment`	GA
Infrastructure Manager	`config.googleapis.com/Preview`	GA
Cloud Interconnect	`compute.googleapis.com/Interconnect`	GA
Cloud Interconnect	`compute.googleapis.com/InterconnectAttachment`	GA
Cloud Key Management Service	`cloudkms.googleapis.com/AutokeyConfig`	GA
	`cloudkms.googleapis.com/CryptoKey`	GA
	`cloudkms.googleapis.com/CryptoKeyVersion`	GA
	`cloudkms.googleapis.com/EkmConfig`	GA
	`cloudkms.googleapis.com/EkmConnection`	GA
	`cloudkms.googleapis.com/ImportJob`	GA
	`cloudkms.googleapis.com/KeyHandle`	GA
Live Stream API	`livestream.googleapis.com/Asset`	GA
	`livestream.googleapis.com/Channel`	GA
	`livestream.googleapis.com/Input`	GA
Cloud Load Balancing	`compute.googleapis.com/BackendBucket`	GA
	`compute.googleapis.com/BackendService`	GA
	`compute.googleapis.com/ForwardingRule`	GA
	`compute.googleapis.com/HealthCheck`	GA
	`compute.googleapis.com/InstanceGroup`	GA
	`compute.googleapis.com/NetworkEndpointGroup`	GA
	`compute.googleapis.com/SslPolicy`	GA
	`compute.googleapis.com/TargetGrpcProxy`	GA
	`compute.googleapis.com/TargetHttpProxy`	GA
	`compute.googleapis.com/TargetHttpsProxy`	GA
	`compute.googleapis.com/TargetInstance`	GA
	`compute.googleapis.com/TargetPool`	GA
	`compute.googleapis.com/TargetSslProxy`	GA
	`compute.googleapis.com/TargetTcpProxy`	GA
	`compute.googleapis.com/UrlMap`	GA
	`networkservices.googleapis.com/ServiceLbPolicy`	GA
Cloud Logging	`logging.googleapis.com/Link`	GA
	`logging.googleapis.com/LogBucket`	GA
	`logging.googleapis.com/LogMetric`	GA
	`logging.googleapis.com/LogSink`	GA
	`logging.googleapis.com/LogView`	GA
	`logging.googleapis.com/SavedQuery`	GA
Managed Service for Apache Kafka	`managedkafka.googleapis.com/ConnectCluster`	GA
Google Cloud Managed Service for Apache Kafka	`managedkafka.googleapis.com/Cluster`	GA
Service Management	`servicemanagement.googleapis.com/Service`	Preview
Memorystore	`redis.googleapis.com/Instance`	GA
Memorystore for Redis Cluster	`redis.googleapis.com/Cluster`	GA
Cloud Monitoring	`monitoring.googleapis.com/AlertPolicy`	GA
	`monitoring.googleapis.com/NotificationChannel`	GA
	`monitoring.googleapis.com/Snooze`	GA
Network Connectivity	`networkconnectivity.googleapis.com/Group`	GA
	`networkconnectivity.googleapis.com/Hub`	GA
	`networkconnectivity.googleapis.com/Spoke`	GA
Private Service Connect	`compute.googleapis.com/NetworkAttachment`	GA
Private Service Connect	`compute.googleapis.com/ServiceAttachment`	GA
Pub/Sub	`pubsub.googleapis.com/Schema`	GA
	`pubsub.googleapis.com/Snapshot`	GA
	`pubsub.googleapis.com/Subscription`	GA
	`pubsub.googleapis.com/Topic`	GA
reCAPTCHA	`recaptchaenterprise.googleapis.com/FirewallPolicy`	GA
reCAPTCHA	`recaptchaenterprise.googleapis.com/Key`	GA
Cloud Router, Cloud NAT	`compute.googleapis.com/Router`	GA
Web Security Scanner	`websecurityscanner.googleapis.com/ScanConfig`	GA
Security Command Center	`securitycenter.googleapis.com/BigQueryExport`	GA
	`securitycenter.googleapis.com/ContainerThreatDetectionSettings`	GA
	`securitycenter.googleapis.com/EventThreatDetectionSettings`	GA
	`securitycenter.googleapis.com/MuteConfig`	GA
	`securitycenter.googleapis.com/NotificationConfig`	GA
	`securitycenter.googleapis.com/ResourceValueConfig`	GA
	`securitycenter.googleapis.com/SecurityHealthAnalyticsSettings`	GA
	`securitycenter.googleapis.com/VirtualMachineThreatDetectionSettings`	GA
	`securitycenter.googleapis.com/WebSecurityScannerSettings`	GA
	`securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule`	GA
	`securitycentermanagement.googleapis.com/SecurityCenterService`	GA
	`securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule`	GA
Secret Manager	`secretmanager.googleapis.com/Secret`	GA
security posture	`securityposture.googleapis.com/Posture`	GA
security posture	`securityposture.googleapis.com/PostureDeployment`	GA
Serverless VPC Access	`vpcaccess.googleapis.com/Connector`	GA
Service Extensions	`networkservices.googleapis.com/LbRouteExtension`	GA
Service Extensions	`networkservices.googleapis.com/LbTrafficExtension`	GA
Cloud Service Mesh	`networksecurity.googleapis.com/AuthorizationPolicy`	GA
	`networksecurity.googleapis.com/ClientTlsPolicy`	GA
	`networksecurity.googleapis.com/ServerTlsPolicy`	GA
	`networkservices.googleapis.com/EndpointPolicy`	GA
	`networkservices.googleapis.com/Gateway`	GA
	`networkservices.googleapis.com/GrpcRoute`	GA
	`networkservices.googleapis.com/HttpRoute`	GA
	`networkservices.googleapis.com/Mesh`	GA
	`networkservices.googleapis.com/ServiceBinding`	GA
	`networkservices.googleapis.com/TcpRoute`	GA
	`networkservices.googleapis.com/TlsRoute`	GA
Spanner	`spanner.googleapis.com/Backup`	GA
	`spanner.googleapis.com/Database`	GA
	`spanner.googleapis.com/Instance`	GA
	`spanner.googleapis.com/InstanceConfig`	GA
Cloud SQL	`sqladmin.googleapis.com/BackupRun`	GA
Cloud SQL	`sqladmin.googleapis.com/Instance`	GA
Secure Source Manager	`securesourcemanager.googleapis.com/Instance`	GA
Cloud Storage	`storage.googleapis.com/Bucket`	GA
Vector Search	`aiplatform.googleapis.com/Index`	GA
Vector Search	`aiplatform.googleapis.com/IndexEndpoint`	GA
Vertex AI	`aiplatform.googleapis.com/DeploymentResourcePool`	Preview
Vertex AI	`aiplatform.googleapis.com/Endpoint`	Preview
Vertex ML Metadata	`aiplatform.googleapis.com/MetadataStore`	GA
Vertex AI Pipelines	`aiplatform.googleapis.com/PipelineJob`	Preview
Video Stitcher API	`videostitcher.googleapis.com/CdnKey`	GA
	`videostitcher.googleapis.com/LiveConfig`	GA
	`videostitcher.googleapis.com/Slate`	GA
	`videostitcher.googleapis.com/VodConfig`	GA
Virtual Private Cloud	`compute.googleapis.com/Network`	GA
	`compute.googleapis.com/PacketMirroring`	GA
	`compute.googleapis.com/Route`	GA
	`compute.googleapis.com/Subnetwork`	GA
Cloud VPN	`compute.googleapis.com/ExternalVpnGateway`	GA
	`compute.googleapis.com/TargetVpnGateway`	GA
	`compute.googleapis.com/VpnGateway`	GA
	`compute.googleapis.com/VpnTunnel`	GA
Workflows	`workflows.googleapis.com/Workflow`	GA
Cloud Workstations	`workstations.googleapis.com/Workstation`	GA
	`workstations.googleapis.com/WorkstationCluster`	GA
	`workstations.googleapis.com/WorkstationConfig`	GA