You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
IAM Conditions allow you to grant access only when certain criteria are met — such as time of day, source IP, or resource attributes. Tags complement conditions by providing a way to label resources for conditional access. Together, they enable fine-grained, context-aware access control.
An IAM condition is an expression attached to a policy binding that must evaluate to true for the binding to take effect:
{
"role": "roles/storage.objectViewer",
"members": ["user:alice@example.com"],
"condition": {
"title": "Weekday access only",
"description": "Allow access only during UK business hours on weekdays",
"expression": "request.time.getDayOfWeek('Europe/London') >= 1 && request.time.getDayOfWeek('Europe/London') <= 5 && request.time.getHours('Europe/London') >= 9 && request.time.getHours('Europe/London') < 17"
}
}
Conditions use the Common Expression Language (CEL), which supports:
| Category | Available Attributes |
|---|---|
| Time | request.time, request.time.getHours(), request.time.getDayOfWeek() |
| Resource | resource.name, resource.type, resource.service |
| Resource Tags | resource.matchTag('env', 'production') |
| Access Level | request.auth.accessLevels (VPC Service Controls) |
| URL | request.path, request.host (for some services) |
# Grant access that expires on a specific date
gcloud projects add-iam-policy-binding my-project \
--member="user:contractor@example.com" \
--role="roles/compute.viewer" \
--condition="title=expires-2025-06-01,expression=request.time < timestamp('2025-06-01T00:00:00Z')"
# Grant access only to Cloud Storage objects with a specific prefix
gcloud storage buckets add-iam-policy-binding gs://my-bucket \
--member="user:alice@example.com" \
--role="roles/storage.objectViewer" \
--condition="title=reports-only,expression=resource.name.startsWith('projects/_/buckets/my-bucket/objects/reports/')"
# Grant access only to Compute Engine instances (not disks, images, etc.)
gcloud projects add-iam-policy-binding my-project \
--member="group:developers@example.com" \
--role="roles/compute.admin" \
--condition="title=instances-only,expression=resource.type == 'compute.googleapis.com/Instance'"
# Grant access only to resources tagged with env=production
gcloud projects add-iam-policy-binding my-project \
--member="group:sre-team@example.com" \
--role="roles/compute.instanceAdmin.v1" \
--condition="title=prod-only,expression=resource.matchTag('123456789/env', 'production')"
Tags are key-value pairs that can be attached to GCP resources (organisations, folders, projects, and some individual resources). They differ from labels:
| Feature | Tags | Labels |
|---|---|---|
| Purpose | Access control (IAM conditions, org policies) | Organisation and billing |
| Inheritance | Inherited down the hierarchy | Not inherited |
| Used in IAM conditions | Yes | No |
| Used in org policies | Yes | No |
| Used in billing reports | No | Yes |
| Managed by | Tag Admin | Resource owners |
# Step 1: Create a tag key
gcloud resource-manager tags keys create env \
--parent=organizations/123456789 \
--description="Environment tag"
# Step 2: Create tag values
gcloud resource-manager tags values create production \
--parent=organizations/123456789/env \
--description="Production environment"
gcloud resource-manager tags values create staging \
--parent=organizations/123456789/env \
--description="Staging environment"
gcloud resource-manager tags values create development \
--parent=organizations/123456789/env \
--description="Development environment"
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.