This document describes supported attributes in a condition expression.
Supported condition attributes
The following sections summarize the supported attributes and indicate which Google Cloud services recognize each attribute.
Resource attributes
The following attributes relate to the resource that is the subject of the request.
Attribute | Usage summary | Supported Google Cloud services |
---|---|---|
Resource service attribute |
Manage access based on the Google Cloud service being used. You can use this attribute in allow policy role bindings. |
|
Resource type attribute |
Manage access based on the resource type. You can use this attribute in allow policy role bindings. |
|
Resource name attribute |
Manage access based on the name of the resource. You can use this attribute in allow policy role bindings. |
|
Resource tags |
Manage access based on the tags attached to the resource. You can use this attribute in the following places:
|
All Google Cloud services (see Support for inherited conditions) |
For more details about resource attributes, see Resource attributes on this page.
Principal attributes
The following attributes relate to the principal making the request.
Attribute | Usage summary | Supported principal types |
---|---|---|
Apply policies based on the type of principal in the request. You can use this attribute in policy bindings for principal access boundary policies. |
|
|
Apply policies based on the identity of the principal in the request. You can use this attribute in policy bindings for principal access boundary policies. |
|
For more details about principal attributes, see Principal attributes on this page.
Request attributes
The following attributes relate to the details of the request.
Attribute | Usage summary | Supported Google Cloud services |
---|---|---|
Manage access based on specific access level(s).
An access level is a calculated attribute based on raw attributes
about the request and requester, such as the origin IP address, device
attributes, and time of day. For example, an You can use this attribute in allow policy role bindings. |
Identity-Aware Proxy |
|
Manage access based on data provided by a specific Google Cloud API or service. You can use this attribute in allow policy role bindings. |
|
|
Set expirable, scheduled, or limited-duration access to Google Cloud resources. You can use these attributes in allow policy role bindings. |
All Google Cloud services (see Support for inherited conditions) |
|
Manage access based on the destination IP address and/or port of a
request. For example, a Compute Engine virtual machine (VM) instance
might expose an external IP, such as Used for Identity-Aware Proxy TCP forwarding. You can use these attributes in allow policy role bindings. |
Identity-Aware Proxy |
|
Specify the types of forwarding rules that a principal can create. For example, you could allow a principal to create forwarding rules for internal Google Cloud load balancers, which handle traffic that originates inside a Google Cloud network, but not for external Google Cloud load balancers, which handle traffic that originates from the internet. You can use these attributes in allow policy role bindings. |
|
|
Manage access based on the URL path and/or host of a request. For
example, a condition could specify that
You can use these attributes in allow policy role bindings. |
|
For more details about request attributes, see Request attributes on this page.
Support for inherited conditions
Some types of Google Cloud resources don't allow conditions in their allow policies. However, you can add conditional role bindings at the organization, folder, or project level, and other resources will inherit those role bindings through the resource hierarchy. For details, see Resource types that accept conditional role bindings.
When you use attributes at the organization, folder, or project level, keep in
mind that most attributes are available only for specific resource types. If
part of a condition uses an attribute that is not available, then that part of
the condition is never interpreted as granting access. For example, the
condition destination.port == 21
will never grant access to any
BigQuery resource, because BigQuery resources don't
provide the destination IP/port attributes.
To prevent this issue, use the resource type and
resource service attributes described on this page to limit
the scope of the condition. For example, the following condition evaluates to
true
for all resource types other than Identity-Aware Proxy tunnel instances; in
contrast, for Identity-Aware Proxy tunnel instances, the condition checks the
destination port:
resource.type != 'iap.googleapis.com/TunnelInstance' ||
destination.port == 21
You don't need to limit the scope of conditions that check the tags attached to a resource. When a condition checks tag keys and values, it cannot check any other attributes, including the resource type and resource service.
Resource attributes
The resource service, resource type, and resource name attributes are typically used to change the scope of an access grant provided by the role binding. When a role contains permissions that apply to different resource-specific attributes, resource-based conditions can be used to grant a subset of the role's permissions for specific type(s) or for specific service(s).
resource.service attribute
The resource.service
attribute lets you set a condition based on the
Google Cloud service being used. For example, you could set a condition
limiting a user's access to resources that use the
cloudresourcemanager.googleapis.com
service. For a list of supported values,
see Resource service values.
You can use the resource.service
attribute in allow policy role bindings.
Attribute variable | resource.service |
---|---|
Attribute type |
For a list of supported values, see Resource service values. |
Supported operators | , |
Details |
When you use the resource.type attribute in conditions,
check for exact equality ( ) or exact
inequality ( ) with the attribute.
Other comparisons, such as checking for a prefix or suffix, might give
you unexpected results.
|
Example |
Returns resource.service == "compute.googleapis.com" |
Supported services |
|
resource.type attribute
The resource.type
attribute lets you set a condition based on the resource's
type. For example, you could set a condition limiting a user's access to
resources of the type storage.googleapis.com/Object
. For a list of supported
values, see Resource type values.
If your condition uses the resource.name
attribute, we strongly recommend that
you use the resource.type
attribute to control which resource types the
condition applies to. For details, see
resource.name
attribute on this page.
You can use the resource.type
attribute in allow policy role bindings.
Attribute variable | resource.type |
||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Attribute type |
For a list of supported values, see Resource type values. |
||||||||||||||||||||||||||||||||||||||||||||||
Supported operators | , |
||||||||||||||||||||||||||||||||||||||||||||||
Details |
When you use the resource.type attribute in conditions,
check for exact equality ( ) or exact
inequality ( ) with the attribute. Other
comparisons, such as checking for a prefix or suffix, might give you
unexpected results.
|
||||||||||||||||||||||||||||||||||||||||||||||
Examples |
Returns resource.type != "compute.googleapis.com/Image"
Returns (resource.type == "compute.googleapis.com/Image" || resource.type == "compute.googleapis.com/Disk") |
||||||||||||||||||||||||||||||||||||||||||||||
Supported resource types |
1 Cloud Key Management Service uses this resource type as the parent of key ring resources. |
resource.name attribute
The resource.name
attribute lets you set a condition based on all or part of a
resource name. For a list of resource name formats, see Resource name
format.
The resource.name
attribute is available only for specific resource types,
which are listed in the table in this section. We strongly recommend that you
limit the applicability of the condition to the intended resource type. If a
role contains permissions for a resource type that does not provide the
resource.name
attribute, you should ensure that those permissions are not
restricted by the part of the condition that checks resource.name
.
The following example shows how to ensure this behavior. In this example, the
condition allows access to all resource types except Cloud Storage buckets and
objects. In contrast, for buckets and objects, the condition only allows access
to the bucket example-bucket
and the objects it contains:
(resource.type != 'storage.googleapis.com/Bucket' &&
resource.type != 'storage.googleapis.com/Object') ||
resource.name.startsWith('projects/_/buckets/example-bucket')
Note that the first part of the condition checks whether the resource is neither
a bucket nor an object. If the resource has a different type, then the entire
condition evaluates to true
, regardless of the resource name.
Also, note that the condition checks the resource.type
attribute, not the
resource.service
attribute. There are a few benefits of checking the
resource.type
attribute:
- It limits the
resource.name
check to the appropriate set of resources. For example, if you want to grant access to Compute Engine instances with a specific name, it makes sense to exclude all resource types other than Compute Engine instances. - It prevents the scope of the condition from changing if a service adds new resource types in the future.
Finally, note that the condition uses the startsWith()
function to evaluate
the resource name, rather than checking for equality with the
operator. Because the condition looks at the start of the resource name, it
matches a bucket as well as the objects in that bucket. If it checked for
equality, it would only match the bucket.
You cannot use wildcard characters such as *
to match multiple resource
names. Consider these alternatives:
Use the
extract()
function to extract a value from a resource name. For example, you can extract a project ID from the resource name of a Compute Engine VM instance, then write a condition expression that refers to the project ID.For details, see Extracting values from attributes on this page.
Use the
startsWith()
orendsWith()
function to write a condition that evaluates the start or end of the resource name.
You can use the resource.name
attribute in allow policy role bindings.
Attribute variable | resource.name |
||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Attribute type |
Each resource type uses a specific format for the resource name. For a list of formats, see Resource name format. |
||||||||||||||||||||||||||||||||||||||||||
Supported functions and operators |
startsWith(), endsWith(), extract(),
, |
||||||||||||||||||||||||||||||||||||||||||
Details |
The
The
The
The
The |
||||||||||||||||||||||||||||||||||||||||||
Examples |
Returns resource.name != "projects/_/buckets/secret-bucket-123"
Returns resource.name.startsWith("projects/project-123/zones/us-east1-b/instances/prod-")
Returns resource.name.startsWith("projects/_/buckets/my_bucket/objects/test-object-")
Returns resource.name.endsWith(".jpg") Returns the project name or number if it's present: resource.name.extract("projects/{project}/") |
||||||||||||||||||||||||||||||||||||||||||
Supported resource types |
|
Resource tags
The functions for resource tags let you set a condition based on the tags that
are attached to, or inherited by, a resource. For example, you could set a
condition that grants a role only for resources that have the tag env: prod
attached. To learn more about controlling access with tags, see
Tags and access control.
Each tag consists of a key and a value. There are a few different types of identifiers for each key and value:
-
A permanent ID, which is globally unique and can never be reused. For example, a tag
key could have the permanent ID
tagKeys/123456789012
, and a tag value could have the permanent IDtagValues/567890123456
. -
A short name. The short name for each key must be unique within the project or
organization under which the key is defined, and the short name for each value must be unique
for its associated key. For example, a tag key could have the short name
env
, and a tag value could have the short nameprod
. -
A namespaced name, which adds your organization's numeric ID or project's ID to the
short name of a tag key. For example, a tag key created for an organization could have the
namespaced name
123456789012/env
. To learn how to get your organization ID, see Getting your organization resource ID. A tag key created for a project could have the namespaced namemyproject/env
. To learn how to get your project ID, see Identifying projects.
For guidance on choosing which type of identifier to use in your conditions, see Tag definitions and identifiers.
You can use tag-based conditions to conditionalize access to any resource. This includes resources with their own tags, as well as resources that inherit tags from other resources. To learn more about how tags are inherited through the resource hierarchy, see Tag inheritance.
You can use tag-based conditions in the following:
- Allow policy role bindings
- Deny policy deny rules
You can use the following functions to set conditions based on tags:
Function | Description |
---|---|
resource.hasTagKey(
bool
|
Checks whether the resource for the request has a tag with the
specified key. The tag key is looked up by its namespaced
name. To check for a tag key using its permanent ID, use
the function
|
resource.hasTagKeyId(
bool
|
Checks whether the resource for the request has a tag with the
specified key. The tag key is looked up by its permanent ID.
To check for a tag key using its namespaced name, use the
function
|
resource.matchTag(
bool
|
Checks whether the resource for the request has a tag with the
specified key and value. The key is looked up by its namespaced
name, and the value is looked up by its short name. To
check for a tag key and value using their permanent IDs, use
the function
|
resource.matchTagId(
bool
|
Checks whether the resource for the request has a tag with the
specified key and value. The key and value are looked up by their
permanent IDs. To check for a tag key using its
namespaced name and a value using its short name,
use the function
|
Principal attributes
The principal attributes let you write conditions based on the principal that issued the request. With these attributes, you can refine the principals that a policy is enforced for.
You can use principal attributes in policy bindings for principal access boundary policies.
principal.type
attribute
The principal.type
attribute lets you set a condition based on the type of
principal issuing the request. For example, you could add a condition to a
policy binding for a principal access boundary policy to ensure that the policy is only
enforced for service accounts.
You can use principal attributes in policy bindings for principal access boundary policies.
Attribute variable | principal.type |
---|---|
Attribute type |
|
Supported operators | , , in |
Supported principal types |
|
Examples |
Evaluates to principal.type == "iam.googleapis.com/ServiceAccount"
Evaluates to principal.type in ["iam.googleapis.com/WorkspaceIdentity", "iam.googleapis.com/WorkforcePoolIdentity"] |
principal.subject
attribute
The principal.subject
attribute lets you set a condition based on the
principal issuing the request. For example, you could add a condition to a
policy binding for a principal access boundary policy to ensure that the policy is only
enforced for principals whose email addresses end with @example.com
.
If you use the principal.subject
attribute in a condition, we recommend also
using the principal.type
attribute to control which types
of principals the condition applies to. This is because principal identifiers
aren't necessarily unique across principal types. For example, the identifier
[email protected]
could identify a Google Account or a user in a
workforce identity pool.
By using the principal.type
attribute in addition to the principal.subject
attribute, you can ensure that the condition only matches principals with the
intended type. For example, the following expression matches Google Accounts
whose email addresses end with @example.com
:
principal.type == 'iam.googleapis.com/WorkspaceIdentity' &&
principal.subject.endsWith('@example.com')
You can use principal attributes in policy bindings for principal access boundary policies.
Attribute variable | principal.subject |
---|---|
Attribute type |
|
Supported operators |
|
Supported principal subjects |
|
Example |
Evaluates to principal.subject.endsWith("@example.com")
Evaluates to principal.subject == "[email protected]" |
Request attributes
Request attributes enable you to create conditions that evaluate details about the request, such as its access level, its date/time, the destination IP address and port (for IAP TCP tunneling), or the expected URL path/host (for IAP and Cloud Run).
Access levels attribute
The access levels attribute enables users to set a condition requiring that a request meets one or more access levels in order to be authorized. You can use the access levels attribute in allow policy role bindings.
The access levels attribute is derived from attributes of the request, such as
the origin IP address, device attributes, and the time of day. For example, an
access level named fullyTrusted
might require that the device making the
request is owned by the company and has a screen lock. An onNetwork
access
level might require that the device making the request originates from a
particular IP address range. See the
Access Context Manager
documentation for more information about access levels.
The access levels attribute is available only when you use Identity-Aware Proxy to access a tunnel instance, or to access a web application running on App Engine or Compute Engine backend services. More specifically, the access levels attribute is available only for requests that check one of these permissions:
iap.tunnelInstances.accessViaIAP
iap.webServiceVersions.accessViaIAP
You can use the access levels attribute when you conditionally grant the following predefined roles:
IAP-secured Tunnel User (
roles/iap.tunnelResourceAccessor
)Contains a single permission,
iap.tunnelInstances.accessViaIAP
.IAP-secured Web App User (
roles/iap.httpsResourceAccessor
)Contains a single permission,
iap.webServiceVersions.accessViaIAP
.
You can also use the access levels attribute to conditionally grant a custom role that contains these permissions. The custom role must not contain any other permissions.
request.auth.access_levels
attribute
Attribute variable | request.auth.access_levels |
---|---|
Attribute type | list <string > |
Supported operators | in |
Details |
To check whether a request meets a specific access level, use the
ACCESS_LEVEL_FULL_NAME in request.auth.access_levels The full name of an access level uses the following format: accessPolicies/POLICY_NUMBER/accessLevels/ACCESS_LEVEL |
Example |
Returns "accessPolicies/199923665455/accessLevels/CorpNet" in request.auth.access_levels |
Supported resource types | Available for requests that use Identity-Aware Proxy to access a tunnel instance, tunnel destination group, web application running on Google Cloud load balancing, or web application running on App Engine. |
API attributes
API attributes help you manage access based on data provided by a specific Google Cloud API or service. You can use API attributes in allow policy role bindings.
For example, when you use Cloud Storage to
list the objects in a bucket, you can use the prefix
parameter
in the request to include only objects whose names begin with a specific prefix.
If you use Credential Access Boundaries to downscope short-lived
credentials, you can create a Credential Access Boundary that limits permissions
to list objects by checking the API attribute
storage.googleapis.com/objectListPrefix
. This API attribute contains the value
of the prefix
parameter from the request.
For examples of when you might need to use API attributes in a condition, see the following pages:
Not all services recognize API attributes. The following sections indicate which services recognize each API attribute.
Functions for API attributes
You can use the following function to work with API attributes:
Function | Description | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
api.getAttribute(
V<T>
|
Gets the requested API attribute.
|
||||||||||||
hasOnly(
bool |
Checks that a list contains only the allowed items, or a subset of
those items. You can call the function on a list returned by
|
Cloud Storage API attributes
Cloud Storage provides the following API attribute.
Attribute variable | storage.googleapis.com/objectListPrefix |
---|---|
Attribute type | string |
Details |
For a request to list
objects in a bucket, contains the value of the For other types of requests, the attribute is not defined. |
Services that recognize this attribute | Cloud Storage |
IAM API attributes
IAM provides the following API attribute:
Attribute variable | iam.googleapis.com/modifiedGrantsByRole |
---|---|
Attribute type | list<string> |
Details |
For a request to set the allow policy of a resource, this attribute contains the role names from the role bindings that the request modifies. For other types of requests, the attribute is not defined. |
Resource types that accept this attribute |
The following resource types accept conditions with the
|
Services that recognize this attribute |
The following services recognize the
|
Date/time attribute
The date/time attribute is used to set expirable, scheduled, or limited-duration access to Google Cloud resources. You can use date/time attributes in allow policy role bindings.
This attribute is supported for all Google Cloud services and resource types. To learn how to apply date/time conditions to resources that don't directly support them, see Support for inherited conditions on this page.
The request.time
attribute contains the timestamp for the request. You can
compare this timestamp to another timestamp, or to a duration of time.
The following sections list the functions that you can use to set conditions based on timestamps and durations.
Create, compare, and modify timestamps and durations
Function or operator | Description |
---|---|
date(
Timestamp |
Converts a date from a
|
duration(
Duration |
Converts an amount of time from a
|
timestamp(
Timestamp |
Converts a
|
, , , |
Compares two
|
|
Add or subtract a
|
Extract information from a timestamp
The functions in this section let you extract information from a timestamp, such as the day of the week that the timestamp falls on.
In IAM Conditions, all timestamps are in UTC. However, you might want to extract information based on a different time zone. For example, you might want to know whether a UTC timestamp falls on a Monday in the time zone for Berlin, Germany.
To specify a different time zone, pass the time zone into the function. Use a
name or UTC offset from the
IETF
Time Zone Database. For example, you could use Europe/Berlin
or +01:00
for Central European Time (CET).
Supported functions and operators | Description |
---|---|
Timestamp.getDate(
int
|
Gets the day of the month from the
|
Timestamp.getDayOfMonth(
int
|
Gets the day of the month from the
|
Timestamp.getDayOfWeek(
int
|
Gets the day of the week from the
|
Timestamp.getDayOfYear(
int
|
Gets the day of the year from the
|
Timestamp.getFullYear(
int
|
Gets the year from the
|
Timestamp.getHours(
int
|
Gets the hour of the day from the
You can combine this function with
|
Timestamp.getMilliseconds(
int
|
Gets the number of milliseconds from the
|
Timestamp.getMinutes(
int
|
Gets the number of minutes after the hour from the
|
Timestamp.getMonth(
int
|
Gets the month of the year from the
|
Timestamp.getSeconds(
int
|
Gets the number of seconds from the
|
, , , |
Compares the output of two functions in this table. |
Destination IP/port attributes
The destination IP/port attribute enables users to manage access based on the internal destination IP address and port for a request. You can use destination IP/port attributes in allow policy role bindings.
For example, a Compute Engine VM instance might map the external IP
address and port 132.168.42.21:3001
to the internal IP address and port
10.0.0.1:2300
for general usage. In contrast, the internal IP address and port
10.0.0.1:22
might only be available internally for administrative usage. You
can use the destination IP/port attributes to grant different amounts of access
based on the internal IP address and port.
For more information about TCP forwarding, see the Identity-Aware Proxy documentation.
destination.ip attribute
Attribute variable | destination.ip |
---|---|
Attribute type | string |
Supported operators | , |
Details |
The variable |
Examples |
Returns destination.ip == "10.0.0.1"
Returns destination.ip != "10.0.0.1" |
Supported resource types | Available for requests that use Identity-Aware Proxy to access a tunnel instance |
destination.port attribute
Attribute variable | destination.port |
---|---|
Attribute type | int |
Supported operators | , , , , , |
Details |
The variable |
Examples |
Returns destination.port == 21
Returns destination.port < 3001 |
Supported resource types | Available for requests that use Identity-Aware Proxy to access a tunnel instance |
Forwarding rule attributes
The forwarding rule attributes enable you to specify the types of forwarding rules that a principal can create. For example, you could allow a principal to create forwarding rules for internal Google Cloud load balancers, which handle traffic that originates inside a Google Cloud network, but not for external Google Cloud load balancers, which handle traffic that originates from the internet. You can use forwarding rule attributes in allow policy role bindings.
For Cloud Load Balancing, the forwarding rule attributes don't affect the ability to create other components of a Google Cloud load balancer, such as backend services, target proxies, health checks, and URL maps.
Supported functions
Function | Description |
---|---|
compute.isForwardingRule
bool
|
Checks whether the request is creating a forwarding rule.
|
compute.matchLoad
bool
|
Checks whether the request affects one of the specified types of load balancing scheme. To find the identifier for each load balancing scheme, as well as more details, see Using IAM Conditions on Google Cloud load balancers.
|
Supported resource types
This attribute is available for requests to create the following resource types:
Service | Resource types |
---|---|
Cloud Load Balancing | Forwarding rules |
Cloud VPN | Forwarding rules (global and regional) |
Compute Engine | Forwarding rules (for protocol forwarding) |
Cloud Service Mesh1 | Forwarding rules |
1 Uses the resource attributes for Compute Engine.
URL path/host attribute
The URL path/host attribute enables users to manage access based on the URL path
and host of a request. For example, a condition could specify that
https://example.com
is the main application accessible by a general domain of
users, while https://hr.example.com/admin
is used to access a page in the
application where only Human Resources admins can access this portion.
You can use the URL path/host attribute in allow policy role bindings.
request.path attribute
Attribute variable | request.path |
---|---|
Attribute type | string |
Supported functions and operators | , startsWith(), endsWith() |
Details |
We don't recommend using the operator with this
attribute. Instead of checking for inequality, as in
request.path != "/admin" , check the attribute's prefix, as
in !request.path.startsWith("/admin") . By checking the
prefix, you also protect URL paths within the /admin
hierarchy, such as /admin/payroll/ .
|
Examples |
Returns request.path == "/admin" request.path == "/admin/payroll"
Returns request.path.startsWith("/admin")
Returns request.path.endsWith("/payroll.js") |
Supported resource types |
|
request.host attribute
Attribute variable | request.host |
---|---|
Attribute type | string |
Supported functions and operators | , endsWith() |
Details |
We don't recommend using the .startsWith() function or the
operator with this attribute. These functions and
operators might give you unexpected results.
|
Examples |
Returns request.host == "www.example.com" request.host == "hr.example.com"
Returns request.host.endsWith("example.com") |
Supported resource types |
|
Extract values from attributes
You can use the extract()
function to extract a value from an attribute. For
example, you can extract an arbitrary part of a resource name, then write a
condition expression that refers to the text you extracted.
To use the extract()
function, you provide an extraction template, which
specifies the part of the attribute to extract. For example, if you want to
extract a project ID from the resource name of a Compute Engine VM
instance, you might use the template projects/{project}/
.
An extraction template contains the following parts:
An identifier, enclosed in curly braces, that identifies the substring to extract.
Choose a short, meaningful identifier that makes it clear what value you want to extract. You can use uppercase and lowercase letters from
A
toZ
; numeric digits; and underscores (_
).In the template
projects/{project}/
, the identifier isproject
.Optional: A prefix, which must appear before the substring to extract.
In the template
projects/{project}/
, the prefix isprojects/
.Optional: A suffix, which must appear after the substring to extract.
In the template
projects/{project}/
, the suffix is/
.
The extract()
function extracts different parts of the attribute based on
whether the extraction template has a prefix, a suffix, or both:
Has prefix | Has suffix | Extracted value |
---|---|---|
— | — | The entire attribute |
— | The characters after the first occurrence of the prefix, or an empty string if there are no characters after the prefix | |
— | The characters before the first occurrence of the suffix, or an empty string if there are no characters before the suffix | |
The characters between the first occurrence of the prefix and the first subsequent occurrence of the suffix, or an empty string if there are no characters between the prefix and the suffix |
If you specify a prefix or suffix that don't appear in the attribute, or if the
suffix appears only before the prefix, the extract()
function returns an empty
string.
The following examples show the output from several different extraction
templates. These examples refer to a resource name for a Cloud Storage
object,
projects/_/buckets/acme-orders-aaa/objects/data_lake/orders/
:
Extraction template | Output |
---|---|
/order_date={date}/ |
2019-11-03 |
buckets/{name}/ |
acme-orders-aaa |
/orders/{empty}order_date |
Empty string |
{start}/objects/data_lake |
projects/_/buckets/acme-orders-aaa |
orders/{end} |
order_date=2019-11-03/aef87g87ae0876 |
{all} |
projects/_/buckets/acme-orders-aaa/objects/data_lake/orders/ |
/orders/{none}/order_date= |
Empty string |
/orders/order_date=2019-11-03/ |
Empty string |
If you extract a string that represents a date, you can use the
date/time functions and operators on this page to convert the
extracted value to a Timestamp
. For examples, see
Configuring resource-based access.