Custom constraint supported services

Custom organization policies allow administrators to define their own restrictions on Google Cloud services. For more information about custom constraints, see the Custom organization policy overview.

Each service defines the set of custom constraint fields that can be used to enforce organization policies on their service resources. See the list of supported service resources to learn which Google Cloud services support custom constraints. To learn how to create custom constraints, see Creating and managing custom constraints.

Supported service resources

Resources associated with the following services can be subjected to custom constraints. Not all resource attributes are available for these resources. See the service-specific documentation to find the resources and attributes that are available for use.

Google Cloud service	Resource type	Launch status
Artifact Registry	`artifactregistry.googleapis.com/Repository`	GA
Certificate Manager	`certificatemanager.googleapis.com/CertificateMap`	GA
	`certificatemanager.googleapis.com/CertificateMapEntry`	GA
	`certificatemanager.googleapis.com/Certificate`	GA
	`certificatemanager.googleapis.com/CertificateIssuanceConfig`	GA
	`certificatemanager.googleapis.com/DnsAuthorization`	GA
	`certificatemanager.googleapis.com/TrustConfig`	GA
Cloud Key Management Service	`cloudkms.googleapis.com/KeyHandle`	GA
	`cloudkms.googleapis.com/AutokeyConfig`	GA
	`cloudkms.googleapis.com/CryptoKey`	GA
	`cloudkms.googleapis.com/CryptoKeyVersion`	GA
	`cloudkms.googleapis.com/EkmConnection`	GA
	`cloudkms.googleapis.com/EkmConfig`	GA
	`cloudkms.googleapis.com/ImportJob`	GA
GKE	`container.googleapis.com/NodePool`	GA
GKE	`container.googleapis.com/Cluster`	GA
Dataproc Serverless	`dataproc.googleapis.com/Batch`	GA
Dataproc	`dataproc.googleapis.com/Cluster`	GA
Compute Engine	`compute.googleapis.com/Disk`	GA
	`compute.googleapis.com/Image`	GA
	`compute.googleapis.com/Instance`	GA
Cloud VPN	`compute.googleapis.com/ExternalVpnGateway`	GA
	`compute.googleapis.com/TargetVpnGateway`	GA
	`compute.googleapis.com/VpnGateway`	GA
	`compute.googleapis.com/VpnTunnel`	GA
Cloud Next Generation Firewall	`compute.googleapis.com/Firewall`	GA
Cloud Next Generation Firewall	`compute.googleapis.com/FirewallPolicy`	GA
Cloud Load Balancing	`compute.googleapis.com/HealthCheck`	GA
	`compute.googleapis.com/InstanceGroup`	GA
	`compute.googleapis.com/NetworkEndpointGroup`	GA
	`compute.googleapis.com/SslPolicy`	GA
	`compute.googleapis.com/TargetInstance`	GA
	`compute.googleapis.com/TargetPool`	GA
	`compute.googleapis.com/BackendService`	GA
	`compute.googleapis.com/BackendBucket`	GA
	`compute.googleapis.com/TargetGrpcProxy`	GA
	`compute.googleapis.com/UrlMap`	GA
	`compute.googleapis.com/TargetTcpProxy`	GA
	`compute.googleapis.com/TargetHttpProxy`	GA
	`compute.googleapis.com/TargetHttpsProxy`	GA
	`compute.googleapis.com/TargetSslProxy`	GA
	`compute.googleapis.com/ForwardingRule`	GA
	`networkservices.googleapis.com/ServiceLbPolicy`	GA
Cloud Interconnect	`compute.googleapis.com/Interconnect`	GA
Cloud Interconnect	`compute.googleapis.com/InterconnectAttachment`	GA
Virtual Private Cloud	`compute.googleapis.com/Network`	GA
	`compute.googleapis.com/PacketMirroring`	GA
	`compute.googleapis.com/Route`	GA
	`compute.googleapis.com/Subnetwork`	GA
Private Service Connect	`compute.googleapis.com/NetworkAttachment`	GA
Private Service Connect	`compute.googleapis.com/ServiceAttachment`	GA
Google Cloud Armor	`compute.googleapis.com/NetworkEdgeSecurityService`	GA
Google Cloud Armor	`compute.googleapis.com/SecurityPolicy`	GA
Cloud Router, Cloud NAT	`compute.googleapis.com/Router`	GA
Identity and Access Management	`iam.googleapis.com/AllowPolicy`	GA
	`iam.googleapis.com/ServiceAccount`	GA
	`iam.googleapis.com/ServiceAccountKey`	GA
Service Extensions	`networkservices.googleapis.com/LbRouteExtension`	GA
Service Extensions	`networkservices.googleapis.com/LbTrafficExtension`	GA
Cloud Storage	`storage.googleapis.com/Bucket`	GA
Cloud SQL	`sqladmin.googleapis.com/Instance`	GA
Cloud SQL	`sqladmin.googleapis.com/BackupRun`	GA
Google Cloud Contact Center as a Service	`contactcenteraiplatform.googleapis.com/ContactCenter`	Preview
Dataflow	`dataflow.googleapis.com/Job`	GA
Cloud Run	`run.googleapis.com/Job`	GA
Cloud Run	`run.googleapis.com/Service`	GA
Cloud Run functions	`cloudfunctions.googleapis.com/Function`	GA
Cloud Build	`cloudbuild.googleapis.com/GithubEnterpriseConfig`	GA
	`cloudbuild.googleapis.com/BitbucketServerConfig`	GA
	`cloudbuild.googleapis.com/BuildTrigger`	GA
	`cloudbuild.googleapis.com/WorkerPool`	GA
Secure Source Manager	`securesourcemanager.googleapis.com/Instance`	GA
Memorystore	`redis.googleapis.com/Instance`	GA
Memorystore for Redis Cluster	`redis.googleapis.com/Cluster`	GA
AlloyDB for PostgreSQL	`alloydb.googleapis.com/Instance`	Preview
Identity Platform	`identitytoolkit.googleapis.com/Config`	GA
	`identitytoolkit.googleapis.com/DefaultSupportedIdpConfig`	GA
	`identitytoolkit.googleapis.com/InboundSamlConfig`	GA
	`identitytoolkit.googleapis.com/OauthIdpConfig`	GA
	`identitytoolkit.googleapis.com/Tenant`	GA
Hub	`gkehub.googleapis.com/Fleet`	GA
	`gkehub.googleapis.com/Membership`	GA
	`gkehub.googleapis.com/Feature`	GA
	`gkehub.googleapis.com/MembershipBinding`	GA
	`gkehub.googleapis.com/Scope`	GA
	`gkehub.googleapis.com/Namespace`	GA
	`gkehub.googleapis.com/RBACRoleBinding`	GA
Secret Manager	`secretmanager.googleapis.com/Secret`	GA
Firestore	`firestore.googleapis.com/Database`	GA
BigQuery Data Transfer Service	`bigquerydatatransfer.googleapis.com/TransferConfig`	GA
Pub/Sub	`pubsub.googleapis.com/Schema`	GA
	`pubsub.googleapis.com/Snapshot`	GA
	`pubsub.googleapis.com/Subscription`	GA
	`pubsub.googleapis.com/Topic`	GA
Serverless VPC Access	`vpcaccess.googleapis.com/Connector`	GA