Stay organized with collections Save and categorize content based on your preferences.
When you refer to a principal in an Identity and Access Management (IAM) policy, you need to use the correct identifier for the principal. The format of the identifier depends on the type of principal you want to refer to and the type of policy you're writing.
This page lists the identifier formats for each policy type's supported principal types.
Principal identifiers for allow policiesThe following table describes the principal identifiers for allow policies, which use the IAM v1 API.
These identifiers are also used for the following:
Preview — Principal identifiers for all service accounts in a project, folder, or organization
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions.
Principal type Identifier Useruser:USER_EMAIL_ADDRESS
Example: user:alex@example.com
serviceAccount:SA_EMAIL_ADDRESS
Example: serviceAccount:my-service-account@my-project.iam.gserviceaccount.com
principalSet://cloudresourcemanager.googleapis.com/RESOURCE_TYPE/RESOURCE_NUMBER/type/ServiceAccount
Example for all service accounts in a project: principalSet://cloudresourcemanager.googleapis.com/projects/123456789012/type/ServiceAccount
Example for all service accounts in all projects in a folder: principalSet://cloudresourcemanager.googleapis.com/folders/123456789012/type/ServiceAccount
Example for all service accounts in all projects in an organization: principalSet://cloudresourcemanager.googleapis.com/organization/123456789012/type/ServiceAccount
group:GROUP_EMAIL_ADDRESS
Example: group:my-group@example.com
domain:DOMAIN
Example: domain:example.com
allUsers All authenticated users allAuthenticatedUsers Built-in resource identities Only available for supported resources. The format varies depending on the resource. See Resources with built-in identities for details. Single identity in a workforce identity pool principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE
Example: principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID
Example using a group email: principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/group/administrators-group@altostrat.com
Example using a group UUID: principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/group/abcdefgh-0123-0123-abcdef
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE
Example: principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/attribute.department/administration
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/*
Example: principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/*
principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE Workload identity pool group principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID All identities in a workload identity pool with a certain attribute principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE All identities in a workload identity pool principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/* All GKE Pods that use a specific Kubernetes service account
By service account name: principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/subject/ns/NAMESPACE/sa/KUBERNETES_SERVICE_ACCOUNT
By service account ID: principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/kubernetes.serviceaccount.uid/SERVICEACCOUNT_ID
Legacy format: serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KUBERNETES_SERVICE_ACCOUNT]
principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/namespace/NAMESPACE All GKE Pods in a specific cluster principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/kubernetes.cluster/https://container.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/clusters/CLUSTER_NAME Deleted user1
deleted:user:USER_EMAIL_ADDRESS?uid=UNIQUE_ID
Example: deleted:user:alex@example.com?uid=123456789012345678901
deleted:serviceAccount:SA_EMAIL_ADDRESS?uid=UNIQUE_ID
Example: deleted:serviceAccount:my-service-account@my-project.iam.gserviceaccount.com?uid=123456789012345678901
deleted:group:GROUP_EMAIL_ADDRESS?uid=UNIQUE_ID
Example: deleted:group:my-group@example.com?uid=123456789012345678901
deleted:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE
Example: deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value
1 Don't add deleted principals when creating or modifying policies.
Principal identifiers for deny policiesThe following table describes the principal identifiers for deny policies, which use the IAM v2 API.
Preview — Principal identifiers for all service accounts in a project, folder, or organization
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions.
Preview — Principal identifiers for all service agents associated with a project, folder, or organization
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions.
Principal type Identifier Userprincipal://goog/subject/USER_EMAIL_ADDRESS
Example: principal://goog/subject/alex@example.com
principal://iam.googleapis.com/projects/-/serviceAccounts/SA_EMAIL_ADDRESS
Example: principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com
principalSet://cloudresourcemanager.googleapis.com/RESOURCE_TYPE/RESOURCE_NUMBER/type/ServiceAccount
Example for all service accounts in a project: principalSet://cloudresourcemanager.googleapis.com/projects/123456789012/type/ServiceAccount
Example for all service accounts in all projects in a folder: principalSet://cloudresourcemanager.googleapis.com/folders/123456789012/type/ServiceAccount
Example for all service accounts in all projects in an organization: principalSet://cloudresourcemanager.googleapis.com/organization/123456789012/type/ServiceAccount
principalSet://cloudresourcemanager.googleapis.com/RESOURCE_TYPE/RESOURCE_NUMBER/type/ServiceAgent
Example for all service agents associated with a project or its descendants: principalSet://cloudresourcemanager.googleapis.com/projects/123456789012/type/ServiceAgent
Example for all service agents associated with a folder or its descendants: principalSet://cloudresourcemanager.googleapis.com/folders/123456789012/type/ServiceAgent
Example for all service agents associated with an organization or its descendants: principalSet://cloudresourcemanager.googleapis.com/organization/123456789012/type/ServiceAgent
principalSet://goog/group/GROUP_EMAIL_ADDRESS
Example: principalSet://goog/group/my-group@example.com
principalSet://goog/public:all All principals in a Cloud Identity account (domain)
principalSet://goog/cloudIdentityCustomerId/CLOUD_IDENTITY_CUSTOMER_ID1
Example: principalSet://goog/cloudIdentityCustomerId/C01Abc35
principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE
Example: principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID
Example using a group email: principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/group/administrators-group@altostrat.com
Example using a group UUID: principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/group/abcdefgh-0123-0123-abcdef
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE
Example: principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/attribute.department/administration
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/*
Example: principalSet://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/*
principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE Workload identity pool group principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID All identities in a workload identity pool with a certain attribute principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE All identities in a workload identity pool principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/* Deleted user2
deleted:principal://goog/subject/USER_EMAIL_ADDRESS?uid=UNIQUE_ID
Example: deleted:principal://goog/subject/alex@example.com?uid=123456789012345678901
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/SA_EMAIL_ADDRESS?uid=UNIQUE_ID
Example: deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com?uid=123456789012345678901
deleted:principalSet://goog/group/GROUP_EMAIL_ADDRESS?uid=UNIQUE_ID
Example: deleted:principalSet://goog/group/my-group@example.com?uid=123456789012345678901
deleted:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE
Example: deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value
1 Learn how to find your Cloud Identity customer ID.
2 Don't add deleted principals when creating or modifying policies.
Principal identifiers for principal access boundary policy bindingsThe following table describes the identifiers for the principal sets that you can use in principal access boundary (PAB) policy bindings. Principal access boundary policy bindings which use the IAM v3 API.
To learn which principals are included in each of these principal sets, see Supported principal sets.
Principal type Identifier Workforce identity pool//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID
Example: //iam.googleapis.com/locations/global/workforcePools/example-workforce-pool
//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/WORKLOAD_POOL_ID
Example: //iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/example-workload-pool
//iam.googleapis.com/locations/global/workspace/CUSTOMER_ID1
Example: //iam.googleapis.com/locations/global/workspace/C01Abc35
//cloudresourcemanager.googleapis.com/projects/PROJECT_ID
Example: //cloudresourcemanager.googleapis.com/projects/example-project
//cloudresourcemanager.googleapis.com/folders/FOLDER_ID
Example: //cloudresourcemanager.googleapis.com/folders/0123456789012
//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID
Example: //cloudresourcemanager.googleapis.com/organizations/0123456789012
1 Learn how to find your Cloud Identity customer ID.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["This document provides the correct identifier formats for principals used in Identity and Access Management (IAM) policies, varying based on the principal type and policy in question."],["The identifiers for principals in allow policies (IAM `v1` API) are used for Privileged Access Manager entitlements and VPC Service Controls ingress and egress rules, including users, service accounts, groups, domains, and different workforce or workload identities."],["Deny policies (IAM `v2` API) use distinct principal identifiers, which cover users, service accounts, groups, all principals, domain-wide principals, and various workforce and workload identities, as well as deleted entities."],["Principal access boundary (PAB) policy bindings (IAM `v3` API) define identifiers for principal sets like workforce identity pools, workload identity pools, Google Workspace domains, and project, folder, or organization-level principal sets."],["Deleted principals, including users, service accounts, and groups, have a specific identifier format with a unique ID suffix, but should not be added when creating or modifying policies."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4