Some Cloud de Confiance resources have built-in identities. These identities let the resources act like principals. As a result, resources with built-in identities can do the following:
- Be granted IAM roles using the resource's principal identifier
- Access other resources without using service agents
Principal identifiers for single resources
The following table lists the resource types that have built-in identities. It also lists the accepted formats for the resource's principal identifier. Use one of the accepted formats for the principal identifier in your allow policies to grant roles to the resource.
| Resource type | Principal identifier format |
|---|---|
| Parameter Manager parameters |
principal://parametermanager.googleapis.com/
|
| Workload identity pool (preview) |
principal://iam.googleapis.com/projects/PROJECT_NUMBER/name/locations/global/workloadIdentityPools/WORKLOAD_IDENTITY_POOL_NAME
|
Principal identifiers for sets of resources
Use the following formats in your allow policies to grant roles to sets of resources with built-in identities:
| Description | Format |
|---|---|
| All resources for the specified service in the specified project | principalSet://RESOURCE_SERVICE/ |
| All resources in the specified project with the specified type | principalSet://RESOURCE_SERVICE/ |
| All resources with the specified ancestor |
|
| All resources with the specified type and the specified ancestor |
|