VPC Service Controls uses ingress and egress rules to control access to and from resources and clients within service perimeters. To refine access further, you can specify supported identities in ingress and egress rules.
This page lists the identities supported by VPC Service Controls and their identifier formats.
Supported identities
VPC Service Controls supports the following identities from Principal identifiers
for allow policies, which use the IAM
v1 API:
| Identity type | Principal type | Identifier |
|---|---|---|
| Single principals | User accounts | user:USER_EMAIL_ADDRESS |
| Service accounts | serviceAccount:SA_EMAIL_ADDRESS |
|
| Identity groups and third-party identities | Group | group:GROUP_EMAIL_ADDRESS |
| Single identity in a workforce identity pool | principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE |
|
| All workforce identities in a group | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID |
|
| All workforce identities with a specific attribute value | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
|
| All identities in a workforce identity pool | principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/* |
|
| Single identity in a workload identity pool | principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE |
|
| Workload identity pool group | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID |
|
| All identities in a workload identity pool with a certain attribute | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
|
| All identities in a workload identity pool | principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/* |
For more information about these identities, see Principal identifiers for allow policies.