# Google Cloud Filtering

We'll go through all the available access-types for Google Cloud request filtering.

### Filtering permission requests

To filter on permission requests, we can use the `permission` access-type. There is a single available key, `id`, which refers to the permission ID (list available in Google's docs [here](https://cloud.google.com/iam/docs/permissions-reference))

#### Rule structure:

```
resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>
```

#### Allow requesting only bigquery permissions:

```
resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep
      key: id
      pattern: ^bigquery.
```

#### Allow requesting any permissions except compute.instances.delete

```
resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: remove
      key: id
      pattern: ^compute.instances.delete$
```

### Filtering role requests

To filter on permission requests, we can use the `role` access-type. There is a single available key, `id`, which refers to the role ID (list available in Google's docs [here](https://cloud.google.com/iam/docs/understanding-roles)). Note that this is the ID that is prefixed with `roles/`

#### Rule structure:

```
resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>
```

#### Allow requesting only compute roles

```
resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep
      key: id
      pattern: ^roles/compute.
```

#### Allow requesting any roles except the basic roles (viewer, editor, owner)

```
resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: remove
      key: id
      pattern: ^roles/editor$|^roles/viewer$|^roles/owner$
```

### Filtering resource requests

To filter on permission requests, we can use the `resource` access-type. There are 3 available keys:

* `name`: This is the name of the resource.
* `type`: This is the type of the resource. The available values for `type` are below:

| Resource type        | "type" value     |
| -------------------- | ---------------- |
| BigQuery Dataset     | `dataset`        |
| BigQuery Table       | `table`          |
| Compute Zone         | `zone`           |
| Compute Instance     | `instance`       |
| IAM Service Account  | `serviceaccount` |
| Cloud Storage Bucket | `bucket`         |
| Cloud Storage Object | `object`         |

* `full-resource-name`: This is the Google API full resource name, including the service, type, and name. Available formats for the `full-resource-name` are below.

| Resource type        | "type" value                                                                            |
| -------------------- | --------------------------------------------------------------------------------------- |
| BigQuery Dataset     | `//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME`                   |
| BigQuery Table       | `//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME/tables/TABLE_NAME` |
| Compute Zone         | `//compute.googleapis.com/zones/ZONE_NAME`                                              |
| Compute Instance     | `//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/INSTANCE_NAME`  |
| IAM Service Account  | `//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL`        |
| Cloud Storage Bucket | `//storage.googleapis.com/BUCKET_NAME`                                                  |
| Cloud Storage Object | `//storage.googleapis.com/BUCKET_NAME/objects/OBJECT_PATH`                              |

#### Rule structure:

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep|remove|removeAll
      key: name|type|full-resource-name
      pattern: <regex pattern>
```

#### Allow requesting only the Bigquery Dataset "customer-data" in project "test"

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//bigquery.googleapis.com/projects/test/datasets/customer-data$
```

#### Allow requesting any Cloud Storage bucket:

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: type
      pattern: ^bucket$
```

#### Allow requesting any resource with "application-1" in the name

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: name
      pattern: application-1
```

#### Allow requesting any resource except compute instances with names starting with "prod" in project "test" and zone "us-west1-a"

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: remove
      key: full-resource-name
      pattern: ^//compute.googleapis.com/projects/test/zones/us-west1-a/instances/prod 
```

#### Allow requesting only Cloud Storage buckets with names starting with dev

```
resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//storage.googleapis.com/dev
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/access-management/just-in-time-access/request-routing/google-cloud-filtering.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.