Console
    Start free

    Supported identities for ingress and egress rules

    VPC Service Controls uses ingress and egress rules to control access to and from resources and clients within service perimeters. To refine access further, you can specify supported identities in ingress and egress rules.

    This page lists the identities supported by VPC Service Controls and their identifier formats.

    Supported identities

    VPC Service Controls supports the following identities from Principal identifiers for allow policies , which use the IAM v1 API:

    Identity type
    Principal type
    Identifier
    Single principals
    User accounts
    user: USER_EMAIL_ADDRESS
    Service accounts
    serviceAccount: SA_EMAIL_ADDRESS
    Identity groups and third-party identities
    Group
    group: GROUP_EMAIL_ADDRESS
    Single identity in a workforce identity pool
    principal://iam.googleapis.com/locations/global/workforcePools/ POOL_ID /subject/ SUBJECT_ATTRIBUTE_VALUE
    All workforce identities in a group
    principalSet://iam.googleapis.com/locations/global/workforcePools/ POOL_ID /group/ GROUP_ID
    All workforce identities with a specific attribute value
    principalSet://iam.googleapis.com/locations/global/workforcePools/ POOL_ID /attribute. ATTRIBUTE_NAME / ATTRIBUTE_VALUE
    All identities in a workforce identity pool
    principalSet://iam.googleapis.com/locations/global/workforcePools/ POOL_ID /*
    Single identity in a workload identity pool
    principal://iam.googleapis.com/projects/ PROJECT_NUMBER /locations/global/workloadIdentityPools/ POOL_ID /subject/ SUBJECT_ATTRIBUTE_VALUE
    Workload identity pool group
    principalSet://iam.googleapis.com/projects/ PROJECT_NUMBER /locations/global/workloadIdentityPools/ POOL_ID /group/ GROUP_ID
    All identities in a workload identity pool with a certain attribute
    principalSet://iam.googleapis.com/projects/ PROJECT_NUMBER /locations/global/workloadIdentityPools/ POOL_ID /attribute. ATTRIBUTE_NAME / ATTRIBUTE_VALUE
    All identities in a workload identity pool
    principalSet://iam.googleapis.com/projects/ PROJECT_NUMBER /locations/global/workloadIdentityPools/ POOL_ID /*
    Agent identities ( Preview )
    Agent identity ( Preview )
    principal:// TRUST_DOMAIN / AGENT_UNIQUE_IDENTIFIER
    All agent identities in a trust domain with a certain attribute ( Preview )
    principalSet:// TRUST_DOMAIN /attribute. ATTRIBUTE_NAME / ATTRIBUTE_VALUE
    All agent identities in a trust domain ( Preview )
    principalSet:// TRUST_DOMAIN /*

    For more information about these identities, see Principal identifiers for allow policies .

    VPC Service Controls also supports the following SPIFFE formats for third-party workforce and workload identities:

    Identity type
    Principal type
    Identifier
    Workforce identities in SPIFFE format ( Preview )
    Single identity in a workforce identity pool ( Preview )
    principal:// POOL_ID .global.workforce.id.goog/ SUBJECT_ATTRIBUTE_VALUE
    All identities in a workforce identity pool as a trust domain with a certain attribute ( Preview )
    principalSet:// POOL_ID .global.workforce.id.goog/attribute. ATTRIBUTE_NAME / ATTRIBUTE_VALUE
    All identities in a workforce identity pool as a trust domain ( Preview )
    principalSet:// POOL_ID .global.workforce.id.goog/*
    Workload identities in SPIFFE format ( Preview )
    Single identity in a workload identity pool ( Preview )
    principal:// POOL_ID .global. ORGANIZATION_ID .workload.id.goog/ SUBJECT_ATTRIBUTE_VALUE
    All identities in a workload identity pool as a trust domain with a certain attribute ( Preview )
    principalSet:// POOL_ID .global. ORGANIZATION_ID .workload.id.goog/attribute. ATTRIBUTE_NAME / ATTRIBUTE_VALUE
    All identities in a workload identity pool as a trust domain ( Preview )
    principalSet:// POOL_ID .global. ORGANIZATION_ID .workload.id.goog/*

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: