Configure identity groups and third-party identities in ingress and egress rules
This page describes how to use identity groups in ingress and egress rules toallow access to resources protected by service perimeters.
VPC Service Controls usesingress and egressrules to allow access to andfrom the resources and clients protected by service perimeters. To furtherrefine access, you can specify identity groups in your ingress and egress rules.
An identity group is a convenient way to apply access controls to a collectionof users and lets you manage identities that have similar access policies.
To configure identity groups in the ingress or egress rules, you can use thefollowing supported identity groups in theidentities attribute:
- Google group
Third-party identities such asworkforce pool users andworkloadidentities.
VPC Service Controls doesn't supportWorkload Identity Federation for GKE.
For information about how to apply ingress and egress rule policies, seeConfiguring ingress and egresspolicies.
Before you begin
- Make sure that you read theIngress and egressrules.
Configure identity groups in ingress rules
Console
When youupdate an ingress policy of a service perimeterorset an ingress policy during perimeter creationusing the Google Cloud console, you can configure the ingress rule to use identity groups.
When you create a perimeter or edit a perimeter in the Google Cloud console,selectIngress policy.
In theFrom section of your ingress policy, selectSelect identities & groupsfrom theIdentities list.
ClickAdd identities.
In theAdd identities pane, specify a Google group or a third-partyidentity to which you want to provide access to resources in the perimeter.To specify an identity group, use the format specified inSupported identitygroups.
ClickAdd identities.
ClickSave.
For information about the other ingress rule attributes, seeIngress rules reference.
gcloud
You can configure an ingress rule to use identity groups using a JSON file or aYAML file. The following sample uses the YAML format:
-ingressFrom:identities:-PRINCIPAL_IDENTIFIERsources:-resource:RESOURCE*OR*-accessLevel:ACCESS_LEVELingressTo:operations:-serviceName:SERVICE_NAMEmethodSelectors:-method:METHOD_NAMEresources:-projects/PROJECT_NUMBERReplace the following:
PRINCIPAL_IDENTIFIER: specify a Google group or athird-party identity to which you want to provide access to resources in the perimeter.To specify an identity group, use the format specified inSupported identitygroups.
For information about the other ingress rule attributes, seeIngress rules reference.
After you update an existing ingress rule to configure identity groups,you need to update the rule policies of the service perimeter:
gcloud access-context-manager perimeters updatePERIMETER_ID --set-ingress-policies=RULE_POLICY.yaml
Replace the following:
PERIMETER_ID: the ID of the service perimeter that you want to update.RULE_POLICY: the path of the modified ingress rule file.
For more information, seeUpdating ingress and egress policies for a serviceperimeter.
Configure identity groups in egress rules
Console
When youupdate an egress policy of a service perimeterorset an egress policy during perimeter creationusing the Google Cloud console, you can configure the egress rule to use identity groups.
When you create a perimeter or edit a perimeter in the Google Cloud console,selectEgress policy.
In theFrom section of your egress policy, selectSelect identities & groupsfrom theIdentities list.
ClickAdd identities.
In theAdd identities pane, specify a Google group or a third-partyidentity that can access the specified resources outside the perimeter.To specify an identity group, use the format specified inSupported identitygroups.
ClickAdd identities.
ClickSave.
For information about the other egress rule attributes, seeEgress rules reference.
gcloud
You can configure an egress rule to use identity groups using a JSON file or aYAML file. The following sample uses the YAML format:
-egressTo:operations:-serviceName:SERVICE_NAMEmethodSelectors:-method:METHOD_NAMEresources:-projects/PROJECT_NUMBERegressFrom:identities:-PRINCIPAL_IDENTIFIERReplace the following:
PRINCIPAL_IDENTIFIER: specify a Google group or athird-party identity that can access the specified resources outside the perimeter.To specify an identity group, use the format specified inSupported identitygroups.
For information about the other egress rule attributes, seeEgress rules reference.
After you update an existing egress rule to configure identity groups,you need to update the rule policies of the service perimeter:
gcloud access-context-manager perimeters updatePERIMETER_ID --set-egress-policies=RULE_POLICY.yaml
Replace the following:
PERIMETER_ID: the ID of the service perimeter that you want to update.RULE_POLICY: the path of the modified egress rule file.
For more information, seeUpdating ingress and egress policies for a serviceperimeter.
Supported identity groups
VPC Service Controls supports the following identity groups from theIAMv1 API Principal identifiers:
| Principal type | Identifier |
|---|---|
| Group | group:GROUP_EMAIL_ADDRESS |
| Single identity in a workforce identity pool | principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE |
| All workforce identities in a group | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID |
| All workforce identities with a specific attribute value | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
| All identities in a workforce identity pool | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/* |
| Single identity in a workload identity pool | principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE |
| Workload identity pool group | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID |
| All identities in a workload identity pool with a certain attribute | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
| All identities in a workload identity pool | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/* |
For more information about these identities, seePrincipal identifiers forallow policies.
Limitations
- Before using identity groups, understand theunsupported featuresin ingress and egress rules.
- When you use identity groups in an egress rule, you can't set the
resourcesfield in theegressToattribute to"*". - You can't use a workload identity in ingress and egress rules to allowApache Airflow web interfaceoperations in Cloud Composer. However, you can use the
ANY_IDENTITYidentity type in ingress and egress rules to allow access to all identities,including workload identities. For more information about theANY_IDENTITYidentity type, seeIngress and egress rules. - For information about ingress and egress rule limits, seeQuotas andlimits.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.