Custom organization policies allow administrators to define their own restrictions on Google Cloud services. For more information about custom constraints, see the Custom organization policy overview.
Each service defines the set of custom constraint fields that can be used to enforce organization policies on their service resources. See the list of supported service resources to learn which Google Cloud services support custom constraints. To learn how to create custom constraints, see Creating and managing custom constraints.
Supported service resources
Resources associated with the following services can be subjected to custom constraints. Not all resource attributes are available for these resources. See the service-specific documentation to find the resources and attributes that are available for use.
| Google Cloud service | Resource type | Launch status |
|---|---|---|
| AlloyDB for PostgreSQL | alloydb.googleapis.com/Instance |
Preview |
| Artifact Registry | artifactregistry.googleapis.com/Repository |
GA |
| BigQuery Data Transfer Service | bigquerydatatransfer.googleapis.com/TransferConfig
| GA |
| Certificate Manager | certificatemanager.googleapis.com/CertificateMap
| GA |
certificatemanager.googleapis.com/CertificateMapEntry
| GA |
|
certificatemanager.googleapis.com/Certificate
| GA |
|
certificatemanager.googleapis.com/CertificateIssuanceConfig
| GA |
|
certificatemanager.googleapis.com/DnsAuthorization
| GA |
|
certificatemanager.googleapis.com/TrustConfig
| GA |
|
| Cloud Build | cloudbuild.googleapis.com/GithubEnterpriseConfig
| GA |
cloudbuild.googleapis.com/BitbucketServerConfig
| GA |
|
cloudbuild.googleapis.com/BuildTrigger
| GA |
|
cloudbuild.googleapis.com/WorkerPool
| GA |
|
| Cloud Interconnect | compute.googleapis.com/Interconnect
| GA |
compute.googleapis.com/InterconnectAttachment
| GA |
|
| Cloud Key Management Service | cloudkms.googleapis.com/KeyHandle
| GA |
cloudkms.googleapis.com/AutokeyConfig
| GA |
|
cloudkms.googleapis.com/CryptoKey
| GA |
|
cloudkms.googleapis.com/CryptoKeyVersion
| GA |
|
cloudkms.googleapis.com/EkmConnection
| GA |
|
cloudkms.googleapis.com/EkmConfig
| GA |
|
cloudkms.googleapis.com/ImportJob
| GA |
|
| Cloud Load Balancing | compute.googleapis.com/HealthCheck |
GA |
compute.googleapis.com/SslPolicy |
GA |
|
compute.googleapis.com/BackendService |
GA |
|
compute.googleapis.com/BackendBucket |
GA |
|
compute.googleapis.com/TargetGrpcProxy |
GA |
|
compute.googleapis.com/TargetHttpProxy |
GA |
|
compute.googleapis.com/TargetHttpsProxy |
GA |
|
compute.googleapis.com/TargetTcpProxy |
GA |
|
compute.googleapis.com/TargetSslProxy |
GA |
|
compute.googleapis.com/UrlMap |
GA |
|
compute.googleapis.com/ForwardingRule |
GA |
|
| Cloud Next Generation Firewall | compute.googleapis.com/Firewall
| GA |
compute.googleapis.com/FirewallPolicy
| GA |
|
| Cloud Router, Cloud NAT | compute.googleapis.com/Router
| GA |
| Cloud Run | run.googleapis.com/Job
| GA |
run.googleapis.com/Service
| GA |
|
| Cloud Run functions | cloudfunctions.googleapis.com/Function
| GA |
| Cloud SQL | sqladmin.googleapis.com/Instance
| GA |
sql.googleapis.com/BackupRun
| GA |
|
| Cloud Storage | storage.googleapis.com/Bucket
| GA |
| Cloud VPN | compute.googleapis.com/ExternalVpnGateway
| GA |
compute.googleapis.com/TargetVpnGateway
| GA |
|
compute.googleapis.com/VpnGateway
| GA |
|
compute.googleapis.com/VpnTunnel
| GA |
|
| Compute Engine | compute.googleapis.com/Disk
| GA |
compute.googleapis.com/Image
| GA |
|
compute.googleapis.com/Instance
| GA |
|
compute.googleapis.com/InstanceGroup |
GA |
|
compute.googleapis.com/NetworkEndpointGroup |
GA |
|
| Google Cloud Armor | compute.googleapis.com/NetworkEdgeSecurityService
| GA |
compute.googleapis.com/SecurityPolicy
| GA |
|
| Google Cloud Contact Center as a Service | contactcenteraiplatform.googleapis.com/ContactCenter
| Preview |
| Dataflow | dataflow.googleapis.com/Job
| GA |
| Dataproc Serverless | dataproc.googleapis.com/Batch
| GA |
| Dataproc | dataproc.googleapis.com/Cluster
| GA |
| Fleets | gkehub.googleapis.com/Fleet
| GA |
gkehub.googleapis.com/Membership
| GA |
|
gkehub.googleapis.com/Feature
| GA |
|
gkehub.googleapis.com/MembershipBinding
| GA |
|
gkehub.googleapis.com/Scope
| GA |
|
gkehub.googleapis.com/Namespace
| GA |
|
gkehub.googleapis.com/RBACRoleBinding
| GA |
|
| Google Kubernetes Engine (GKE) | container.googleapis.com/NodePool
| GA |
container.googleapis.com/Cluster
| GA |
|
| Identity and Access Management | iam.googleapis.com/AllowPolicy
| Preview |
iam.googleapis.com/ServiceAccount
| GA |
|
iam.googleapis.com/ServiceAccountKey
| GA |
|
| Identity Platform | identitytoolkit.googleapis.com/Config
| GA |
identitytoolkit.googleapis.com/DefaultSupportedIdpConfig
| GA |
|
identitytoolkit.googleapis.com/InboundSamlConfig
| GA |
|
identitytoolkit.googleapis.com/OauthIdpConfig
| GA |
|
identitytoolkit.googleapis.com/Tenant
| GA |
|
| Memorystore | redis.googleapis.com/Instance
| GA |
| Memorystore for Redis Cluster | redis.googleapis.com/Cluster
| GA |
| Private Service Connect | compute.googleapis.com/NetworkAttachment
| GA |
compute.googleapis.com/ServiceAttachment
| GA |
|
| Secret Manager | secretmanager.googleapis.com/Secret
| GA |
| Virtual Private Cloud | compute.googleapis.com/Network
| GA |
compute.googleapis.com/PacketMirroring
| GA |
|
compute.googleapis.com/Route
| GA |
|
compute.googleapis.com/Subnetwork
| GA |