P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Request Permissions Using the Slack Bot
  • Slack Bot Request Approval, Denial, and Errors
  • Slack Bot Request Approval
  • Slack Bot Request Denial
  • Request Access Error
  • Request Access Types
  • Role Access
  • Set up Permissions Access
  • Set up a Resource within Google Cloud Access
  1. Integrations
  2. Resource integrations
  3. Google Cloud

Requesting Access

How to request access to Google Cloud permissions, roles, and resources through the P0 bot

Last updated 3 months ago

This topic describes how to request access using . It contains the following sections:

Request Permissions Using the Slack Bot

To request access using the Slack bot:

  1. Open Slack and send /p0 request as a Slack message in any DM or Slack channel. This opens the P0 request modal:

  2. Select a the resource:

  3. Select an Access type request, and a set of configurable fields will appear for your request type (if any). Fill out the relevant information for your request. For more information about each request type and their associated configurable fields, see .

  4. (Optional) Select the Project to request access.

To ensure your project appears on this list, ensure:

  • The project is installed with P0 IAM management 2.

  • The end user has a matching request-routing rule in place.

  1. Enter a Reason access is needed explaining why you are requesting access from the approvers.

This step may be required or optional, depending on the routing rule settings.

  1. (Optional) Set Requested access duration to the amount of time you need access.

  2. Click Request to initiate the request process. The Slack bot will:

    • Generate a message confirming your request creation.

    • Send a message to the approvers in the Slack channel designated by your organization's admin.

    The following describes how P0 handles different scenarios:

    • If your request is approved, the Slack bot generates a message in the p0-requests Slack channel, indicating your access has been granted, and when it will expire.

    • If you are on-call (on a PagerDuty schedule) and your organization’s admin has enabled PagerDuty routing, your access may be automatically approved for one hour.

Slack Bot Request Approval, Denial, and Errors

Your request must be approved or denied by an authorized member of your organization. Once approved or denied, you will have options to change / update your request within the P0 Security Slack DM.

On occasion you may run into request errors, and the bot will notify you during your request.

To learn more see the following subsections:

Slack Bot Request Approval

After your request is approved, the Slack bot displays a Relinquish button within the P0 Security Slack DM, with a link to the original p0-requests channel. You can use this button to remove your access early, if you complete use prior to the expiration date.

This revokes the access, and you must make another request if you need it again.

Once access expires (either through timing out, or via the Relinquish button), the Slack bot sends an expiration message from the P0 Security app Slack DM and the p0-requests channel.

You may re-request the same access using the Request Access button, if you need to extend your session.

Slack Bot Request Denial

If your request is denied, the Slack bot sends a message from the P0 Security Slack DM and the p0-requests channel, indicating the reason for denial.

Example from the P0 Security Slack DM:

Example from the p0-requests channel:

Request Access Error

If there is an error with your request, due to prerequisite permissions issues, the Slack bot sends a message from the P0 Security Slack DM and the p0-requests channel, indicating the reason for the error.

Example from the P0 Security Slack DM:

Example from the p0-requests channel:

Request Access Types

You can request the following access types:

Role Access

Role grants access to an existing predefined or custom GCP role within the project.

Access is granted for the entire project, at the selected amount of time. The binding is automatically removed when the access expires.

To request IAM role access, enter the ID of an existing Google IAM role in the Role field.

A list of auto-suggest options appear as you type.

Set up Permissions Access

If you know which IAM permissions you need, you can directly request access to specific permissions.

This request creates an ephemeral (time-limited) role, which only contains the requested permissions granted for the entire project. When the request expires, the permission is removed.

To request permissions access, enter up to 10 Google IAM permissions in the Permissions field.

Use spaces to separate multiple permissions requests.

Set up a Resource within Google Cloud Access

Resource within GCloud access restricts access to one of the resources by name, rather than on the entire project.

Examples of resource requests include:

To request resource access:

  1. Enter a the resource name(s) in Resource name field:

  2. After you select a resource, set the relevant configurable fields.

Set up Cloud Storage Requests

You can request access that is restricted to the following Google Cloud Storage (GCS) resource types:

  • Buckets: All files and folders contained in the selected bucket(s).

  • Folders: All files contained in the selected folder(s).

  • Files: Individual file(s).

To enable access to a storage resource:

  1. Type one of the following into the Resource name field:

    • Name of the bucket or object, using the same format that you would use for the gsutil CLI (e.g. p0-test-1).

    • Type of resource you want (e.g. storage bucket), to bring up a more comprehensive list of matching resources.

As you type, a list of matching resources appear in the corresponding dropdown, which includes headers for the type of resources listed. In this example, Storage Bucket is the header for the list of selectable storage buckets.

  1. After you select a resource, the following configurable Google Cloud Storage fields are available:

    1. File or folder (optional): Path to the file or folder within the Google resource, where you want access.

Set up Google Compute Engine Access

Google Compute Engine access provides restricted access to specific Compute Engine virtual machine (VM) zones. Zone access enables you to access all selected VM instances in the zone (but not other zones).

To enable access to a zone:

  1. Specify the zone in the Resource name field.

The dropdown list indicates the type of resources listed. In this case, Compute Zone is shown which indicates the list contains selectable zones.

  1. After you select a zone, the following configurable Google Compute Engine fields are available:

    1. Service account email (optional): Google service account you used to request access for the VM instance. You can run the following command to obtain the associated email address: gcloud compute instances describe INSTANCE-NAME | grep serviceAccounts -A 1

If you want to create a VM with an attached service account, you must provide an existing service account email for SSH and create access.

: Access to an existing Google Cloud Platform (GCP) role.

: Access to specific permissions.

: Access is restricted to one of the resources by name, rather than on the entire project.

: Access to all files and folders within the specified container (bucket, folder, or files).

: Access to specific Compute Engine virtual machine (VM) instances or zones.

Access: Type of access for this resource. You can request read, write, admin, or an existing Google IAM role. See for a detailed reference of the permissions each access shortcut grants.

Access: Type of access for this resource. You can request view, edit, admin, create, ssh, or an existing Google IAM role. See for a detailed reference of the permissions each access shortcut grants.

πŸ”‘
☁️
Cloud Storage
Compute Engine
Slack Bot Request Approval
Slack Bot Request Denial
Request Access Error
Role
Permissions
Resource within Google Cloud
Cloud Storage Requests
Google Compute Engine
P0's Slack bot
Request Permissions Using the Slack Bot
Slack Bot Request Approval, Denial, and Errors
Request Access Types
Request Access Types