Requesting Access
How to request access to Google Cloud permissions, roles, and resources through the P0 bot
Last updated
How to request access to Google Cloud permissions, roles, and resources through the P0 bot
Last updated
This topic describes how to request access using . It contains the following sections:
To request access using the Slack bot:
Open Slack and send /p0 request as a Slack message in any DM or Slack channel. This opens the P0 request modal:
Select a the resource:
Select an Access type request, and a set of configurable fields will appear for your request type (if any). Fill out the relevant information for your request. For more information about each request type and their associated configurable fields, see .
(Optional) Select the Project to request access.
Enter a Reason access is needed explaining why you are requesting access from the approvers.
(Optional) Set Requested access duration to the amount of time you need access.
Click Request to initiate the request process. The Slack bot will:
Generate a message confirming your request creation.
Send a message to the approvers in the Slack channel designated by your organization's admin.
The following describes how P0 handles different scenarios:
If your request is approved, the Slack bot generates a message in the p0-requests Slack channel, indicating your access has been granted, and when it will expire.
If you are on-call (on a PagerDuty schedule) and your organizationβs admin has enabled PagerDuty routing, your access may be automatically approved for one hour.
Your request must be approved or denied by an authorized member of your organization. Once approved or denied, you will have options to change / update your request within the P0 Security Slack DM.
To learn more see the following subsections:
After your request is approved, the Slack bot displays a Relinquish button within the P0 Security Slack DM, with a link to the original p0-requests channel. You can use this button to remove your access early, if you complete use prior to the expiration date.
Once access expires (either through timing out, or via the Relinquish button), the Slack bot sends an expiration message from the P0 Security app Slack DM and the p0-requests channel.
If your request is denied, the Slack bot sends a message from the P0 Security Slack DM and the p0-requests channel, indicating the reason for denial.
Example from the P0 Security Slack DM:
Example from the p0-requests channel:
If there is an error with your request, due to prerequisite permissions issues, the Slack bot sends a message from the P0 Security Slack DM and the p0-requests channel, indicating the reason for the error.
Example from the P0 Security Slack DM:
Example from the p0-requests channel:
You can request the following access types:
Role grants access to an existing predefined or custom GCP role within the project.
To request IAM role access, enter the ID of an existing Google IAM role in the Role field.
If you know which IAM permissions you need, you can directly request access to specific permissions.
To request permissions access, enter up to 10 Google IAM permissions in the Permissions field.
Resource within GCloud access restricts access to one of the resources by name, rather than on the entire project.
Examples of resource requests include:
To request resource access:
Enter a the resource name(s) in Resource name field:
After you select a resource, set the relevant configurable fields.
You can request access that is restricted to the following Google Cloud Storage (GCS) resource types:
Buckets: All files and folders contained in the selected bucket(s).
Folders: All files contained in the selected folder(s).
Files: Individual file(s).
To enable access to a storage resource:
Type one of the following into the Resource name field:
Name of the bucket or object, using the same format that you would use for the gsutil CLI (e.g. p0-test-1).
Type of resource you want (e.g. storage bucket), to bring up a more comprehensive list of matching resources.
After you select a resource, the following configurable Google Cloud Storage fields are available:
File or folder (optional): Path to the file or folder within the Google resource, where you want access.
Google Compute Engine access provides restricted access to specific Compute Engine virtual machine (VM) zones. Zone access enables you to access all selected VM instances in the zone (but not other zones).
To enable access to a zone:
Specify the zone in the Resource name field.
After you select a zone, the following configurable Google Compute Engine fields are available:
Service account email (optional): Google service account you used to request access for the VM instance. You can run the following command to obtain the associated email address:
gcloud compute instances describe INSTANCE-NAME | grep serviceAccounts -A 1
: Access to an existing Google Cloud Platform (GCP) role.
: Access to specific permissions.
: Access is restricted to one of the resources by name, rather than on the entire project.
: Access to all files and folders within the specified container (bucket, folder, or files).
: Access to specific Compute Engine virtual machine (VM) instances or zones.
Access: Type of access for this resource. You can request read, write, admin, or an existing Google IAM role. See for a detailed reference of the permissions each access shortcut grants.
Access: Type of access for this resource. You can request view, edit, admin, create, ssh, or an existing Google IAM role. See for a detailed reference of the permissions each access shortcut grants.
