Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Principal identifiers

When you refer to a principal in an Identity and Access Management (IAM) policy, you need to use the correct identifier for the principal. The format of the identifier depends on the type of principal that you want to refer to and the type of policy that you're writing.

This page lists the identifier formats for each policy type's supported principal types.

Principal identifiers for allow policies

The following table describes the principal identifiers for allow policies, which use the IAM v1 API.

These identifiers are also used for Privileged Access Manager entitlements.

Principal type	Identifier
Service account	`serviceAccount:SA_EMAIL_ADDRESS` Example: `serviceAccount:my-service-account@my-project.s3ns.iam.gserviceaccount.com`
All service accounts in a project, folder, or organization	`principalSet://cloudresourcemanager.googleapis.com/RESOURCE_TYPE/RESOURCE_NUMBER/type/ServiceAccount` Example for all service accounts in a project: `principalSet://cloudresourcemanager.googleapis.com/projects/123456789012/type/ServiceAccount` Example for all service accounts in all projects in a folder: `principalSet://cloudresourcemanager.googleapis.com/folders/123456789012/type/ServiceAccount` Example for all service accounts in all projects in an organization: `principalSet://cloudresourcemanager.googleapis.com/organizations/123456789012/type/ServiceAccount` Note: Moving projects into or out of a folder or organization changes the service accounts included in this principal set. For example, if you move a project out of a folder or organization, then this principal set no longer includes that project's service accounts.
All users	`allUsers`
All authenticated users	`allAuthenticatedUsers`
Single identity in a workforce identity pool	`principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE` Example: `principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com`
All workforce identities in a group	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID` Example using a group email: `principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/group/administrators-group@altostrat.com` Example using a group UUID: `principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/group/abcdefgh-0123-0123-abcdef`
All workforce identities with a specific attribute value	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE` Example: `principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/attribute.department/administration`
All identities in a workforce identity pool	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/` Example:* `principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/*`
Single identity in a workload identity pool	`principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE`
Workload identity pool group	`principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID`
All identities in a workload identity pool with a certain attribute	`principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE`
All identities in a workload identity pool	`principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*`
Agent identity (Preview)	`principal://TRUST_DOMAIN/AGENT_UNIQUE_IDENTIFIER` Example: `principal://agents.global.org-123456789012.system.id.goog/resources/aiplatform/projects/9876543210/locations/us-central1/reasoningEngines/my-test-agent`
All agent identities in a trust domain (Preview)	`principalSet://TRUST_DOMAIN/` Example:* `principalSet://agents.global.org-123456789012.system.id.goog/*`
All GKE Pods that use a specific Kubernetes service account	By service account name: `principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.s3ns.svc.id.goog/subject/ns/NAMESPACE/sa/KUBERNETES_SERVICE_ACCOUNT` By service account ID: `principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.s3ns.svc.id.goog/kubernetes.serviceaccount.uid/SERVICEACCOUNT_ID` Legacy format: `serviceAccount:PROJECT_ID.s3ns.svc.id.goog[NAMESPACE/KUBERNETES_SERVICE_ACCOUNT]`
All GKE Pods in a Kubernetes namespace, regardless of service account or cluster	`principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.s3ns.svc.id.goog/namespace/NAMESPACE`
All GKE Pods in a specific cluster	`principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.s3ns.svc.id.goog/kubernetes.cluster/https://container.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/clusters/CLUSTER_NAME`
Deleted service account¹	`deleted:serviceAccount:SA_EMAIL_ADDRESS?uid=UNIQUE_ID` Example: `deleted:serviceAccount:my-service-account@my-project.s3ns.iam.gserviceaccount.com?uid=123456789012345678901`
Deleted single identity in a workforce identity pool¹	`deleted:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE` Example: `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`

¹ Don't add deleted principals when creating or modifying policies.

Principal identifiers for deny policies

The following table describes the principal identifiers for deny policies, which use the IAM v2 API.

Principal type	Identifier
Service account	`principal://iam.googleapis.com/projects/-/serviceAccounts/SA_EMAIL_ADDRESS` Example: `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@my-project.s3ns.iam.gserviceaccount.com`
All service accounts in a project, folder, or organization	`principalSet://cloudresourcemanager.googleapis.com/RESOURCE_TYPE/RESOURCE_NUMBER/type/ServiceAccount` Example for all service accounts in a project: `principalSet://cloudresourcemanager.googleapis.com/projects/123456789012/type/ServiceAccount` Example for all service accounts in all projects in a folder: `principalSet://cloudresourcemanager.googleapis.com/folders/123456789012/type/ServiceAccount` Example for all service accounts in all projects in an organization: `principalSet://cloudresourcemanager.googleapis.com/organizations/123456789012/type/ServiceAccount` Note: Moving projects into or out of a folder or organization changes the service accounts included in this principal set. For example, if you move a project out of a folder or organization, then this principal set no longer includes that project's service accounts.
All service agents associated with a project, folder, or organization	`principalSet://cloudresourcemanager.googleapis.com/RESOURCE_TYPE/RESOURCE_NUMBER/type/ServiceAgent` Example for all service agents associated with a project or its descendants: `principalSet://cloudresourcemanager.googleapis.com/projects/123456789012/type/ServiceAgent` Example for all service agents associated with a folder or its descendants: `principalSet://cloudresourcemanager.googleapis.com/folders/123456789012/type/ServiceAgent` Example for all service agents associated with an organization or its descendants: `principalSet://cloudresourcemanager.googleapis.com/organizations/123456789012/type/ServiceAgent` Warning: Don't deny permissions for service agents—doing so might cause some Cloud de Confiance services to stop working properly. Instead, use these principal sets to exempt service agents from deny rules. Note: Moving projects into or out of a folder or organization changes the service agents included in this principal set. For example, if you move a project out of a folder or organization, then this principal set no longer includes that project's service agents.
All principals	`principalSet://goog/public:all`
Single identity in a workforce identity pool	`principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE` Example: `principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com`
All workforce identities in a group	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID` Example using a group email: `principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/group/administrators-group@altostrat.com` Example using a group UUID: `principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/group/abcdefgh-0123-0123-abcdef`
All workforce identities with a specific attribute value	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE` Example: `principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/attribute.department/administration`
All identities in a workforce identity pool	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/` Example:* `principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/*`
Single identity in a workload identity pool	`principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE`
Workload identity pool group	`principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID`
All identities in a workload identity pool with a certain attribute	`principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE`
All identities in a workload identity pool	`principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*`
Agent identity (Preview)	`principal://TRUST_DOMAIN/AGENT_RESOURCE_PATH/AGENT_ID` Example: `principal://agents.global.org-123456789012.system.id.goog/resources/aiplatform/projects/9876543210/locations/us-central1/reasoningEngines/my-test-agent`
Deleted service account²	`deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/SA_EMAIL_ADDRESS?uid=UNIQUE_ID` Example: `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@my-project.s3ns.iam.gserviceaccount.com?uid=123456789012345678901`
Deleted single identity in a workforce identity pool²	`deleted:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE` Example: `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`

¹ Learn how to find your Cloud Identity customer ID.

² Don't add deleted principals when creating or modifying policies.

Principal types for access policies

The following table describes the principal identifiers that you can use in access policies. You can use access policies to control access to Eventarc resources. For more information, see the Eventarc documentation.

Principal type Identifier

Service account

principal://iam.googleapis.com/projects/-/serviceAccounts/SA_EMAIL_ADDRESS

Example: principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@my-project.s3ns.iam.gserviceaccount.com

All service accounts in a project, folder, or organization

principalSet://cloudresourcemanager.googleapis.com/RESOURCE_TYPE/RESOURCE_NUMBER/type/ServiceAccount

Example for all service accounts in a project: principalSet://cloudresourcemanager.googleapis.com/projects/123456789012/type/ServiceAccount

Example for all service accounts in all projects in a folder: principalSet://cloudresourcemanager.googleapis.com/folders/123456789012/type/ServiceAccount

Example for all service accounts in all projects in an organization: principalSet://cloudresourcemanager.googleapis.com/organizations/123456789012/type/ServiceAccount

All principals¹ principalSet://goog/public:all

¹ This value can only be used in access policies with the DENY action.