Requesting Access
How to request access to Google Cloud permissions, roles, and resources through the P0 bot
Last updated
How to request access to Google Cloud permissions, roles, and resources through the P0 bot
Last updated
This topic describes how to request access using P0's Slack bot. It contains the following sections:
To request access using the Slack bot:
Open Slack and send /p0 request as a Slack message in any DM or Slack channel. This opens the P0 request modal:
Select a the resource:
Select an Access type request, and a set of configurable fields will appear for your request type (if any). Fill out the relevant information for your request. For more information about each request type and their associated configurable fields, see Request Access Types.
(Optional) Select the Project to request access.
To ensure your project appears on this list, ensure:
The project is installed with P0 IAM management 2.
The end user has a matching request-routing rule in place.
Enter a Reason access is needed explaining why you are requesting access from the approvers.
This step may be required or optional, depending on the routing rule settings.
(Optional) Set Requested access duration to the amount of time you need access.
Click Request to initiate the request process. The Slack bot will:
Generate a message confirming your request creation.
Send a message to the approvers in the Slack channel designated by your organization's admin.
The following describes how P0 handles different scenarios:
If your request is approved, the Slack bot generates a message in the p0-requests Slack channel, indicating your access has been granted, and when it will expire.
If you are on-call (on a PagerDuty schedule) and your organizationβs admin has enabled PagerDuty routing, your access may be automatically approved for one hour.
Your request must be approved or denied by an authorized member of your organization. Once approved or denied, you will have options to change / update your request within the P0 Security Slack DM.
On occasion you may run into request errors, and the bot will notify you during your request.
To learn more see the following subsections:
After your request is approved, the Slack bot displays a Relinquish button within the P0 Security Slack DM, with a link to the original p0-requests channel. You can use this button to remove your access early, if you complete use prior to the expiration date.
This revokes the access, and you must make another request if you need it again.
Once access expires (either through timing out, or via the Relinquish button), the Slack bot sends an expiration message from the P0 Security app Slack DM and the p0-requests channel.
You may re-request the same access using the Request Access button, if you need to extend your session.
If your request is denied, the Slack bot sends a message from the P0 Security Slack DM and the p0-requests channel, indicating the reason for denial.
Example from the P0 Security Slack DM:
Example from the p0-requests channel:
If there is an error with your request, due to prerequisite permissions issues, the Slack bot sends a message from the P0 Security Slack DM and the p0-requests channel, indicating the reason for the error.
Example from the P0 Security Slack DM:
Example from the p0-requests channel:
You can request the following access types:
Role: Access to an existing Google Cloud Platform (GCP) role.
Permissions: Access to specific permissions.
Resource within Google Cloud: Access is restricted to one of the resources by name, rather than on the entire project.
Role grants access to an existing predefined or custom GCP role within the project.
Access is granted for the entire project, at the selected amount of time. The binding is automatically removed when the access expires.
To request IAM role access, enter the ID of an existing Google IAM role in the Role field.
A list of auto-suggest options appear as you type.
If you know which IAM permissions you need, you can directly request access to specific permissions.
This request creates an ephemeral (time-limited) role, which only contains the requested permissions granted for the entire project. When the request expires, the permission is removed.
To request permissions access, enter up to 10 Google IAM permissions in the Permissions field.
Use spaces to separate multiple permissions requests.
Resource within GCloud access restricts access to one of the resources by name, rather than on the entire project.
Examples of resource requests include:
Cloud Storage Requests: Access to all files and folders within the specified container (bucket, folder, or files).
Google Compute Engine: Access to specific Compute Engine virtual machine (VM) instances or zones.
To request resource access:
Enter a the resource name(s) in Resource name field:
After you select a resource, set the relevant configurable fields.
You can request access that is restricted to the following Google Cloud Storage (GCS) resource types:
Buckets: All files and folders contained in the selected bucket(s).
Folders: All files contained in the selected folder(s).
Files: Individual file(s).
To enable access to a storage resource:
Type one of the following into the Resource name field:
Name of the bucket or object, using the same format that you would use for the gsutil CLI (e.g. p0-test-1).
Type of resource you want (e.g. storage bucket), to bring up a more comprehensive list of matching resources.
As you type, a list of matching resources appear in the corresponding dropdown, which includes headers for the type of resources listed. In this example, Storage Bucket is the header for the list of selectable storage buckets.
After you select a resource, the following configurable Google Cloud Storage fields are available:
Access: Type of access for this resource. You can request read, write, admin, or an existing Google IAM role. See Cloud Storage for a detailed reference of the permissions each access shortcut grants.
File or folder (optional): Path to the file or folder within the Google resource, where you want access.
Google Compute Engine access provides restricted access to specific Compute Engine virtual machine (VM) zones. Zone access enables you to access all selected VM instances in the zone (but not other zones).
To enable access to a zone:
Specify the zone in the Resource name field.
The dropdown list indicates the type of resources listed. In this case, Compute Zone is shown which indicates the list contains selectable zones.
After you select a zone, the following configurable Google Compute Engine fields are available:
Access: Type of access for this resource. You can request view, edit, admin, create, ssh, or an existing Google IAM role. See Compute Engine for a detailed reference of the permissions each access shortcut grants.
Service account email (optional): Google service account you used to request access for the VM instance. You can run the following command to obtain the associated email address:
gcloud compute instances describe INSTANCE-NAME | grep serviceAccounts -A 1
If you want to create a VM with an attached service account, you must provide an existing service account email for SSH and create access.
