Permission rules and bindings
Permission rules
Each rule grants permissions on one or more resource types:
{
"resources": ["cloud_vpc"],
"resourceIdentities": [],
"permissions": ["read", "list"],
"note": "VPC read access for network team"
}| Field | Meaning |
|---|---|
resources | API resource type(s) from GET /resources, or "*" for all |
resourceIdentities | Specific resource IDs; empty array = all instances of those types |
permissions | Actions: create, read, update, delete, list, *, plus service-specific permissions |
Service-specific permissions
| Service | Extra permissions |
|---|---|
| Container registry | push, pull |
| KMS | encrypt, decrypt, sign, verify, hmac, verify-hmac, rotate, export |
| Secrets Manager | getSecretValue, putSecretValue |
Assignable resource types include (non-exhaustive): project, cloud_vpc, kubernetes_cluster, dbaas_db_cluster, kms_key, secret, dns_zone, container_registry, object_storage_bucket, iam_policy, iam_policy_binding, and others. Use GET /v1/projects/iam/policies/resources for the authoritative list.
When a rule lists specific resource types with an empty resource-identity list, it applies to all instances of those types in scope.
Policy bindings
Bindings attach exactly one principal per binding:
| Principal | Binding field |
|---|---|
| User | userIdentity |
| Service account | serviceAccountIdentity |
| OIDC client | Via OIDC client binding on the binding object |
Bindings inherit the policy’s rules (and conditionals, when enforced). Multiple bindings on one policy give the same permissions to multiple principals.
Access conditions
Optional IP and time rules apply to the whole policy (not per rule or per binding). The condition shape matches Secrets Manager access policies and IAM policy conditionals elsewhere on the platform.
{
"allowed": [
{ "type": "ip", "ips": ["10.0.0.0/8", "192.168.0.0/16"] },
{
"type": "time",
"time": { "startHour": 8, "endHour": 18, "timezone": "Europe/Amsterdam" }
}
],
"denied": [
{ "type": "ip", "ips": ["203.0.113.50"] }
]
}Evaluation semantics
- Denied conditions are checked first — any match blocks access.
- If allowed conditions are present, at least one must match.
- No conditionals (or empty lists) → no extra restriction from conditions.
IP conditions accept a single IP or CIDR (IPv4/IPv6) in ips. Time conditions use hours 0–23 (inclusive range). If endHour < startHour, the window wraps midnight (for example, 20:00–08:00). Timezone is IANA (defaults to UTC).
Note: Conditionals are stored and validated on create/update and replicate with policies. Runtime enforcement on general API access via IAM policy conditionals is planned. By contrast, Secrets Manager access policies use the same condition shape and are enforced today on
getSecretValueandputSecretValue.
Policy replication to child projects
Set replicateToChildren: true at policy create. This flag cannot be changed later.
| Source project | Descendant projects |
|---|---|
| Editable policy with rules, bindings, conditionals | Read-only replicas (isReadOnly: true) |
Changes on the source (rules, bindings, conditionals, metadata) sync automatically to all descendant projects. Replicas share the same slug as the source.
| Event | Result |
|---|---|
| Create replicating policy | Replicas appear on all existing child projects |
| New child project created | Ancestor replicated policies synced in |
| Parent link changed | Orphan replicas pruned; new replicas created |
| Delete source policy | Replicas cascade-deleted |
In the console, inherited policies appear as view-only with “Inherited from {parent project}” and a link to edit on the source.
Built-in (system) policies
Every project automatically receives system IAM policies that mirror the platform’s organisation default role templates. See the default policies catalogue for the full list.
| Flag | Meaning |
|---|---|
system: true | Platform-managed; view-only |
isReadOnly: true | Cannot edit rules, bindings, or delete |
The default admin policy slug grants full access (resources: ["*"], permissions: ["*"]). Project creators are automatically bound to it. System policy rules are periodically synced from platform templates.
Policy lifecycle
flowchart TD
A[Create policy] --> B[Add permission rules]
A --> C[Create bindings]
A --> D[Optionally set access conditions]
A --> E[Optionally replicateToChildren]
E --> F[Read-only replicas on descendants]
G[Update custom policies] --> H[Metadata + conditionals via PUT]
G --> I[Add/remove rules]
G --> J[Add/remove/update bindings]
K[Delete custom policy] --> L[Rules and bindings removed]
K --> M[Replicas cascade-deleted if source]
Immutable after create: name, slug, replicateToChildren.
Not mutable: system policies (system: true) and inherited replicas (isReadOnly: true).
Access control on IAM policy APIs
IAM policy management itself is gated by permissions on resources iam_policy and iam_policy_binding. The project admin policy includes these permissions by default.
| Action | Typical permission |
|---|---|
| List policies | iam_policy:list |
| Create policy | iam_policy:create |
| Read policy / add rules | iam_policy:read |
| Update policy metadata/conditionals | iam_policy:update |
| Delete policy | iam_policy:delete |
| List bindings | iam_policy:read + iam_policy_binding:list |
| Create binding | iam_policy:read + iam_policy_binding:create |
| Update/delete binding | iam_policy:read + iam_policy_binding:update / delete |
Best practices
- Least privilege — Prefer narrow rules (specific
resourceIdentities) overresources: ["*"]withpermissions: ["*"]. - Separation of duties — Split create/delete from read/list across policies; use KMS encrypt/decrypt without export.
- Inherited policies — Use
replicateToChildrenfor org-wide standards (for example, auditor read-only) pushed to all child environments; edit only on the parent. - Service accounts over users — Bind automation to service accounts or OIDC clients, not personal users.
- Project picker — Ensure the console always shows the active project; permissions change with project context.
- Conditionals — Configure IP/time restrictions now; they will apply once platform-wide enforcement ships. Use Secrets Manager access policies today for secret-specific IP/time enforcement.
Common errors
| HTTP | Typical cause |
|---|---|
403 | projects feature gate disabled; insufficient iam_policy permission |
400 | Validation error; mutating system or read-only replica; parent cycle; escalation attempt; invalid resource type or conditional |
404 | Project, policy, binding, or parent not found |
409 | Duplicate project or policy slug |
Related documentation
- Concepts — Effective permissions and object reference
- Default policies — Built-in policy catalogue
- API reference — Endpoint summary