Some Google Cloud resources have built-in identities . These identities let the resources act like principals . As a result, resources with built-in identities can do the following:
- Be granted IAM roles using the resource's principal identifier
- Access other resources without using service agents
Principal identifiers for single resources
The following table lists the resource types that have built-in identities. It also lists the accepted formats for the resource's principal identifier. Use one of the accepted formats for the principal identifier in your allow policies to grant roles to the resource.
| Resource type | Principal identifier format |
|---|---|
| Parameter Manager parameters | principal://parametermanager.googleapis.com/
|
Principal identifiers for sets of resources
Use the following formats in your allow policies to grant roles to sets of resources with built-in identities:
| Description | Format |
|---|---|
| All resources for the specified service in the specified project | principalSet:// RESOURCE_SERVICE
/
|
| All resources in the specified project with the specified type | principalSet:// RESOURCE_SERVICE
/
|
| All resources with the specified ancestor | |
| All resources with the specified type and the specified ancestor | |
