You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
IAM Conditions allow you to grant access only when certain criteria are met — such as time of day, source IP, or resource attributes. Tags complement conditions by providing a way to label resources for conditional access. Together, they enable fine-grained, context-aware access control.
An IAM condition is an expression attached to a policy binding that must evaluate to true for the binding to take effect:
{
"role": "roles/storage.objectViewer",
"members": ["user:alice@example.com"],
"condition": {
"title": "Weekday access only",
"description": "Allow access only during UK business hours on weekdays",
"expression": "request.time.getDayOfWeek('Europe/London') >= 1 && request.time.getDayOfWeek('Europe/London') <= 5 && request.time.getHours('Europe/London') >= 9 && request.time.getHours('Europe/London') < 17"
}
}
Conditions use the Common Expression Language (CEL), which supports:
| Category | Available Attributes |
|---|---|
| Time | request.time, request.time.getHours(), request.time.getDayOfWeek() |
| Resource | resource.name, resource.type, resource.service |
| Resource Tags | resource.matchTag('env', 'production') |
| Access Level | request.auth.accessLevels (VPC Service Controls) |
| URL | request.path, request.host (for some services) |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.