Requesting from Slack

Open up the p0 request modal by typing the command /p0 request in any Slack channel and select Google Cloud as the resource:

You'll see an "Access type" field with 3 options, "Role, "Permissions, and "Resource Within Gcloud".

• "Role": Select this option if you would like to request access to an existing GCP role. This can either be a predefined role or a custom role within the project, and the access will be granted on the entire project. See Role Requests for details.

• "Permissions": Select this option if you would like to request access to a list of Google IAM permissions. This access will be granted on the entire project. See Permission Requests for details.

• "Resource Within GCloud": Select this option if you'd like to request access restricted to a specific resource, rather than on the entire project. You'll specify a resource name and get access only to that resource (and child resources, if applicable). The supported types for this option are Compute Engine Requests and Cloud Storage Requests.

Role Requests

If you need access to a predefined role, you can request a role assignment. This will grant you the role for a certain amount of time and then automatically remove the binding when the access expires.

Project: The project you'd like access to .

Role: The ID of the existing Google IAM role you'd like to request. You'll see a list of options once you type a few characters.

Reason: Optionally, provide a reason to be communicated to the approver(s).

Then click the button to submit the request, and see Next Steps.

Permission Requests

If you know which IAM permissions you need, you can directly request access to specific permissions. This request creates an ephemeral role containing only the permissions you have requested. When the request expires, the role will be deleted.

To start, select "Permissions" in the access type dropdown.

Project: The project you'd like access to.

Permissions: The Google IAM permissions you'd like to request, with multiple permissions separated by spaces.

Reason: Optionally, provide a reason to be communicated to the approver(s).

Then click the button to submit the request, and see Next Steps.

Cloud Storage Requests

This lets you request access restricted to specific Google Cloud Storage buckets, folders, and files. You'll specify the name of the bucket or object in the same format you'd use with the gsutil CLI.

Requesting access to a bucket gives you access to all files and folders within the bucket (but not other buckets) and similarly requesting access to a folder gives you access to all files within that folder (but not other folders). Requesting access to a file will give access to only that single file.

To start, select "Resource within GCloud" as the "Access type", and then select "Cloud Storage" as the resource within GCloud.

Project: The project you'd like access to .

Access: The type of access you want for this resource. You can request read, write, admin, or an existing Google IAM role. See Cloud Storagefor a detailed reference of what permissions each access shortcut grants.

gs://: The path to the resource you want access to. This should be in the format bucket_name/path_to_object. For example, test-bucket, or test-bucket/test-folder/test-file.

Reason: Optionally, provide a reason to be communicated to the approver(s).

Then click the button to submit the request, and see Next Steps.

Compute Engine Requests

This lets you request access restricted to specific Compute Engine VM instances or zones. You'll specify either a zone or the zone/instance_name path.

Requesting access to a zone gives you access to all VM instances in the zone (but not other zones), and requesting access to an instance will give access to only that VM instance.

To start, select "Resource within GCloud" as the "Access type", and then select "Compute Engine" as the resource within GCloud.

Project: The project you'd like access to .

Access: The type of access you want for this resource. You can request view, edit, admin, create, ssh, or an existing Google IAM role. See Compute Engine for a detailed reference of what permissions each access shortcut grants.

Zone or zone/instance: The zone or instance you want access to. You can either provide just a zone, or an instance in the format zone_name/instance. For example, us-central-1a, or us-central-1a/test-instance.

Service account email: Optionally, the Google service account attached to the VM instance you are requesting access to. You can obtain this email address by running gcloud compute instances describe INSTANCE-NAME | grep serviceAccounts -A 1. Providing the service account email if one exists is required for SSH access and for create access if you want to create a VM with an attached service account.

Reason: Optionally, provide a reason to be communicated to the approver(s).

Then click the button to submit the request, and see Next Steps.

Next Steps

Once you submit the request, you will get a Slack message from the p0 bot confirming your request creation. The p0 bot will also send a message to the approvers in the Slack channel designated by your org admin.

1. If your request is approved, you will receive a message from the p0 bot saying that your access has been granted and letting you know when it will expire. You can go ahead and use the permission.

2. If you are on-call (on a PagerDuty schedule), and your org admin has enabled PagerDuty routing, your access may be automatically approved for 1 hour.

3. After your request is approved, you'll see a “relinquish” button on the Slack message from the p0 bot. You can optionally use this button to let go of your access early if you finish what you wanted to do before the expiration date. This will revoke the access, and you will need to make another request if you need it again.

4. If you wait for the access to expire, you will get a message that it has expired once it does.

5. If your request is denied, you'll get a message letting you know.