Preview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
IAM Conditions for fine-grained access
This page describes how to restrict access to your connections by using IAM Conditions.
An IAM conditionlets you have granular control over your Integration Connectors resources. By default, anIntegration Connectors user or a role can perform all the supported operations on a connection. By using IAM Conditions, you can restrict a specific user or a role to do only selected operations on a connection. For example, you can restrict a user such that the user can only modify the connections whose name begins withtest-connection, and will not have other permissions on the connections such as subscribing to events, or viewing the schema metadata.
Before you begin
Integration Connectors uses Google Cloud'sIdentity and Access Management (IAM)to manage roles and permissions for Integration Connectors resources. Therefore, before you specify ormodify conditions in IAM for your Integration Connectors resources, familiarize yourself with the following IAM concepts:
Adding IAM Conditions
To add an IAM condition to an Integration Connectors resource, you need the following information:
- Named Resource URI - Every resource in Integration Connectors has a unique resource URI. For example, URI for the connection resource is
projects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/{connection_name}. For the complete list of all the available URIs, seeIntegration Connectors REST resources. To control access permissions for a resource at a granular level, you must name your resource according to a naming convention. Based on your requirements, you can decide the naming convention you want to use. For example, you can prefix the wordmarketing-for all the connections owned by the marketing team. In this example, the resource URI for the marketing team's connections, will begin withprojects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/marketing-. - Parent only permissions - Check if a resource or any of its child resource(s) require the parent-only permission. For more information, seeParent-only permissions.
- Resource type - You can further narrow the scope of the resources by filtering for a resource type in the condition. Integration Connectors supports conditions for the following resources:
Resource name Resource type Connection connectors.googleapis.com/Connection ManagedZone connectors.googleapis.com/ManagedZone EndpointAttachment connectors.googleapis.com/EndpointAttachment EventSubscription connectors.googleapis.com/EventSubscription ConnectionSchemaMetadata connectors.googleapis.com/ConnectionSchemaMetadata
marketing-, the user can still list (view) all the connections because thelist permission is available on the connection's parent resource (location). However, the user can perform get, create, update, and delete operations only on the connections whose name begins withmarketing-.Examples
The following table lists the sample resource conditions that you can apply for an Integration Connectors user or a role.
| IAM resource condition | Description |
|---|---|
(resource.name.startsWith("projects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/marketing-")&& resource.type == "connectors.googleapis.com/Connection"))|| resource.type != "connectors.googleapis.com/Connection" | A user or a role to whom you apply this condition, can only do the following operations:
|
(resource.name.startsWith("projects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/marketing-")&& resource.type == "connectors.googleapis.com/Connection") ||(resource.name.startsWith ("projects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/marketing-")&& resource.type == "connectors.googleapis.com/ConnectionSchemaMetadata")|| (resource.type != "connectors.googleapis.com/Connection"&& resource.type != "connectors.googleapis.com/ConnectionSchemaMetadata") | A user or a role to whom you apply this condition, can only do the following operations:
|
Adding IAM Conditions for Application Integration service accounts
You can apply IAM Conditions to the Application Integration service account, which lets you restrict the connections the service account can access during integration execution. For example, you can restrict a service account such that it can access only connections whose name begin withmarketing-. For more information, seeApply IAM Conditions to a service account.
The following table lists the sample resource conditions that you can apply for an Application Integration service account.
| IAM resource condition | Description |
|---|---|
resource.name.startsWith("projects/PROJECT_ID/locations/CONNECTION_LOCATION/connections/marketing-") | The service account to which you apply this condition, can run only those connections whose name starts withmarketing-. |
startsWith constraint for a service account resource condition.What's next
Go through the following information in the IAM documentation:
- Adding a conditional role binding to a policy
- Modify an existing conditional role binding
- Removing a conditional role binding
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.