Resource types with built-in identities

Some Google Cloud resources have built-in identities. These identities let the resources act like principals. As a result, resources with built-in identities can do the following:

Principal identifiers for single resources

The following table lists the resource types that have built-in identities. It also lists the accepted formats for the resource's principal identifier. Use one of the accepted formats for the principal identifier in your allow policies to grant roles to the resource.

Resource typePrincipal identifier format
Parameter Manager parametersprincipal://parametermanager.googleapis.com/projects/PROJECT_NUMBER/uid/locations/global/parameters/PARAMETER_UID

Principal identifiers for sets of resources

Use the following formats in your allow policies to grant roles to sets of resources with built-in identities:

DescriptionFormat
All resources for the specified service in the specified projectprincipalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/*
All resources in the specified project with the specified typeprincipalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/type/RESOURCE_TYPE/*
All resources with the specified ancestor

principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/ancestor.name/ANCESTOR_RESOURCE_TYPE/ANCESTOR_RESOURCE_NAME

principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/ancestor.uid/ANCESTOR_RESOURCE_TYPE/ANCESTOR_RESOURCE_UID

All resources with the specified type and the specified ancestor

principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/type/RESOURCE_TYPE/ancestor.name/ANCESTOR_RESOURCE_TYPE/ANCESTOR_RESOURCE_NAME

principalSet://RESOURCE_SERVICE/projects/PROJECT_NUMBER/type/RESOURCE_TYPE/ancestor.uid/ANCESTOR_RESOURCE_TYPE/ANCESTOR_RESOURCE_UID