# Requesting Google Cloud access

This topic describes how to request access using [P0's Slack bot](https://docs.p0.dev/integrations/notifier-integrations/slack). It contains the following sections:

* [Request Permissions Using the Slack Bot](#request-permissions-using-the-slack-bot)
* [Slack Bot Request Approval, Denial, and Errors](#slack-bot-request-approval-denial-and-errors)
* [Request Access Types](#request-access-types)

## Request Permissions Using the Slack Bot

To request access using the Slack bot:

1. Open Slack and send `/p0 request` as a Slack message in any DM or Slack channel. This opens the P0 request modal:

   <figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-1c2e6e3fb01b6da1ae6471f757f2067200c8fc75%2Fimage.png?alt=media" alt="" width="459"><figcaption></figcaption></figure>
2. Select a the resource:

   <figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-84da01fdc6992b972ea89224460858a83bd42207%2Fimage.png?alt=media" alt="" width="386"><figcaption></figcaption></figure>
3. Select an **Access type** request, and a set of configurable fields will appear for your request type (if any). Fill out the relevant information for your request.\
   \
   For more information about each request type and their associated configurable fields, see [Request Access Types](#request-access-types).

   <figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-bc3fddafd07ce42ba3fa8fb72714a1c87b7c47d0%2Fimage.png?alt=media" alt="" width="389"><figcaption></figcaption></figure>
4. (Optional) Select the **Project** to request access.

{% hint style="info" %}
To ensure your project appears on this list, ensure:

* The project is installed with P0 IAM management 2.
* The end user has a matching request-routing rule in place.
  {% endhint %}

5. Enter a **Reason access is needed** explaining why you are requesting access from the approvers.

{% hint style="info" %}
This step may be required or optional, depending on the routing rule settings.
{% endhint %}

6. (Optional) Set **Requested access duration** to the amount of time you need access.
7. Click **Request** to initiate the request process. The Slack bot will:

   * Generate a message confirming your request creation.
   * Send a message to the approvers in the Slack channel designated by your organization's admin.

   The following describes how P0 handles different scenarios:

   * If your request is approved, the Slack bot generates a message in the **p0-requests** Slack channel, indicating your access has been granted, and when it will expire.

     <figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-fee49c9649b9eb75fc23e6d9b15653f99fcc253a%2Fimage.png?alt=media" alt="" width="458"><figcaption></figcaption></figure>
   * If you are on-call (on a PagerDuty schedule) and your organization's admin has enabled PagerDuty routing, your access may be automatically approved for one hour.

## Slack Bot Request Approval, Denial, and Errors

Your request must be approved or denied by an authorized member of your organization. Once approved or denied, you will have options to change / update your request within the **P0 Security** Slack DM.

{% hint style="info" %}
On occasion you may run into request errors, and the bot will notify you during your request.
{% endhint %}

To learn more see the following subsections:

* [Slack Bot Request Approval](#slack-bot-request-approval)
* [Slack Bot Request Denial](#slack-bot-request-denial)
* [Request Access Error](#request-access-error)

### Slack Bot Request Approval

After your request is approved, the Slack bot displays a **Relinquish** button within the **P0 Security** Slack DM, with a link to the original **p0-requests** channel. You can use this button to remove your access early, if you complete use prior to the expiration date.

{% hint style="info" %}
This revokes the access, and you must make another request if you need it again.
{% endhint %}

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-971103b391bdcad404d3c2dabe5468379f4929c6%2Fimage.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

Once access expires (either through timing out, or via the **Relinquish** button), the Slack bot sends an expiration message from the **P0 Security** app Slack DM and the **p0-requests** channel.

{% hint style="info" %}
You may re-request the same access using the **Request Access** button, if you need to extend your session.
{% endhint %}

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-de499347ead1c6c56a8044f2d934b889cfecc27d%2Fimage.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

### Slack Bot Request Denial

If your request is denied, the Slack bot sends a message from the **P0 Security** Slack DM and the **p0-requests** channel, indicating the reason for denial.

Example from the **P0 Security** Slack DM:

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-8fc3b5d55e9916c298d0de76cedb701a984bad0e%2Fimage.png?alt=media" alt="" width="499"><figcaption></figcaption></figure>

Example from the **p0-requests** channel:

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-859b59180192c2a32a7c9748c1b5ff217b4545bf%2Fimage.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

### Request Access Error

If there is an error with your request, due to prerequisite permissions issues, the Slack bot sends a message from the **P0 Security** Slack DM and the **p0-requests** channel, indicating the reason for the error.

Example from the **P0 Security** Slack DM:

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-0a32beef095705e7557238ff0449888e69f80141%2Fimage.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

Example from the **p0-requests** channel:

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-b1e2e76ca9c13a95335a42c9c1b1d3478f9113af%2Fimage.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

## Request Access Types

You can request the following access types:

* [**Role**](#role-access)**:** Access to an existing Google Cloud Platform (GCP) role.
* [**Permissions**](#set-up-permissions-access)**:** Access to specific permissions.
* [**Resource within Google Cloud**](#set-up-a-resource-within-google-cloud-access)**:** Access is restricted to one of the resources by name, rather than on the entire project.

### Role Access

Role grants access to an existing predefined or custom GCP role within the project.

{% hint style="info" %}
Access is granted for the entire project, at the selected amount of time. The binding is automatically removed when the access expires.
{% endhint %}

To request IAM role access, enter the ID of an existing Google IAM role in the **Role** field.

{% hint style="info" %}
A list of auto-suggest options appear as you type.
{% endhint %}

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-35b8fa170011094a6c1f80f664eeef2f7de29206%2Fimage.png?alt=media" alt="" width="399"><figcaption></figcaption></figure>

### Set up Permissions Access

If you know which IAM permissions you need, you can directly request access to specific permissions.

{% hint style="info" %}
This request creates an ephemeral (time-limited) role, which only contains the requested permissions granted for the entire project. When the request expires, the permission is removed.
{% endhint %}

To request permissions access, enter up to 10 Google IAM permissions in the **Permissions** field.

{% hint style="info" %}
Use spaces to separate multiple permissions requests.
{% endhint %}

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-a815d462281ebee89f599f21db6e1ffe9a5e5a97%2Fimage.png?alt=media" alt="" width="398"><figcaption></figcaption></figure>

### Set up a Resource within Google Cloud Access

**Resource within GCloud** access restricts access to one of the resources by name, rather than on the entire project.

Examples of resource requests include:

* [**Cloud Storage Requests**](#set-up-cloud-storage-requests)**:** Access to all files and folders within the specified container (bucket, folder, or files).
* [**Google Compute Engine**](#set-up-google-compute-engine-access)**:** Access to specific Compute Engine virtual machine (VM) instances or zones.

To request resource access:

1. Enter a the resource name(s) in **Resource name** field:

   <figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-7a752ab609aca7ccede2c6b763a34f73c6f64328%2Fimage.png?alt=media" alt="" width="380"><figcaption></figcaption></figure>
2. After you select a resource, set the relevant configurable fields.

#### Set up Cloud Storage Requests

You can request access that is restricted to the following Google Cloud Storage (GCS) resource types:

* **Buckets:** All files and folders contained in the selected bucket(s).
* **Folders:** All files contained in the selected folder(s).
* **Files:** Individual file(s).

To enable access to a storage resource:

1. Type one of the following into the **Resource name** field:
   * Name of the bucket or object, using the same format that you would use for the `gsutil` CLI (e.g. `p0-test-1`).
   * Type of resource you want (e.g. `storage bucket`), to bring up a more comprehensive list of matching resources.

{% hint style="info" %}
As you type, a list of matching resources appear in the corresponding dropdown, which includes headers for the type of resources listed. In this example, **Storage Bucket** is the header for the list of selectable storage buckets.
{% endhint %}

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-b951cae8fb0ea893185456e7abdf3cb05428bd0e%2Fimage.png?alt=media" alt="" width="375"><figcaption></figcaption></figure>

2. After you select a resource, the following configurable Google Cloud Storage fields are available:
   1. **Access:** Type of access for this resource. You can request `read`, `write`, `admin`, or an existing Google IAM role. See [Cloud Storage](https://docs.p0.dev/integrations/resource-integrations/google-cloud/permissions-reference/cloud-storage) for a detailed reference of the permissions each access shortcut grants.
   2. **File or folder** (optional): Path to the file or folder within the Google resource, where you want access.

#### Set up Google Compute Engine Access

Google Compute Engine access provides restricted access to specific Compute Engine virtual machine (VM) zones. Zone access enables you to access all selected VM instances in the zone (but not other zones).

To enable access to a zone:

1. Specify the zone in the **Resource name** field.

{% hint style="info" %}
The dropdown list indicates the type of resources listed. In this case, **Compute Zone** is shown which indicates the list contains selectable zones.
{% endhint %}

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-cd05c2d3c79315dd15a547e6be649980067a2414%2Fimage.png?alt=media" alt="" width="387"><figcaption></figcaption></figure>

2. After you select a zone, the following configurable Google Compute Engine fields are available:
   1. **Access:** Type of access for this resource. You can request `view`, `edit`, `admin`, `create`, `ssh`, or an existing Google IAM role. See[ ](https://docs.p0.dev/integrations/iam-integrations/google-cloud/permissions-reference/compute-engine)[Compute Engine](https://docs.p0.dev/integrations/resource-integrations/google-cloud/permissions-reference/compute-engine) for a detailed reference of the permissions each access shortcut grants.
   2. **Service account email** (optional): Google service account you used to request access for the VM instance. You can run the following command to obtain the associated email address:\
      \
      `gcloud compute instances describe INSTANCE-NAME | grep serviceAccounts -A 1`

{% hint style="info" %}
If you want to create a VM with an attached service account, you must provide an existing service account email for SSH and create access.
{% endhint %}