With VPC Service Controls, you can createperimeters, which are boundariesaround your Google Cloud resources. You can then define security policiesthat help prevent access to supported services from outside of the perimeter.For more information about VPC Service Controls, see theVPC Service Controlsoverview.

You can use VPC Service Controls to help secure the followingIAM-related APIs:

• Identity and Access Management API
• Security Token Service API
• Privileged Access Manager API

Help secure the Identity and Access Management API

Beta — Using VPC Service Controls with IAM

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

You can help secure the following Identity and Access Management (IAM) resources by usingVPC Service Controls:

• Custom roles
• Service account keys
• Service accounts
• Workload identity pools
• Deny policies
• Policy bindings for principal access boundary policies

How VPC Service Controls works with IAM

When you restrict IAM with a perimeter, only actionsthat use the IAM API are restricted. These actionsinclude the following:

• Managing custom IAM roles
• Managing workload identity pools
• Managing service accounts and keys
• Managing deny policies
• Managing policy bindings for principal access boundary policies

The perimeterdoesn't restrict actions related to workforcepools and principal access boundary policies because those resourcesare created at the organization level.

The perimeter alsodoesn't restrict allow policy management for resourcesowned by other services, like Resource Manager projects, folders, and organizationsor Compute Engine virtual machine instances. To restrict allow policymanagement for these resources, create a perimeter that restricts the servicethat owns the resources. For a list of resources that accept allow policies andthe services that own them, seeResource types that accept allowpolicies.

Additionally, the perimeterdoesn't restrict actions that use other APIs,including the following:

• IAM Policy Simulator API
• IAM Policy Troubleshooter API

• Security Token Service API
• Service Account Credentials API (including the legacysignBlob andsignJwt methods in the IAM API)

For more details about how VPC Service Controls works withIAM, see theIAM entry in theVPC Service Controls supported products table.

Help secure the Security Token Service API

You can help secure token exchanges by using VPC Service Controls.

Note: VPC Service Controls only restricts token exchanges if theaudience in the request is a project-level resource. Forexample, it does not restrict requests fordownscoped tokens, becausethose requests have no audience.

When you restrict the Security Token Service API with a perimeter, only thefollowing entities can exchange tokens:

• Resources within the same perimeter as the workload identity pool you're usingto exchange the token
• Principals with the attributes defined in the service perimeter

When you create aningressor egress rule to allow token exchanges, you must set the identity type toANY_IDENTITY because thetokenmethod has no authorization.

For more details about how VPC Service Controls works withIAM, see theSecurity Token Service entry in theVPC Service Controls supported products table.

Help secure the Privileged Access Manager API

Preview — Using VPC Service Controls with Privileged Access Manager

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

You can help secure your Privileged Access Manager resources by usingVPC Service Controls. Privileged Access Manager resources include the following:

• Entitlements
• Grants

VPC Service Controls doesn't support adding folder-level or organization-levelresources into a service perimeter. You can't use a perimeter to protectfolder-level or organization-level Privileged Access Manager resources. VPC Service Controlsprotects project-level Privileged Access Manager resources.

For more details about how VPC Service Controls works withPrivileged Access Manager, see thePrivileged Access Manager entry in theVPC Service Controls supported products table.

What's next

• Learn how tocreate a service perimeter.