Google Cloud Filtering

We'll go through all the available access-types for Google Cloud request filtering.

Filtering permission requests

To filter on permission requests, we can use the permission access-type. There is a single available key, id, which refers to the permission ID (list available in Google's docs here)

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>

Allow requesting only bigquery permissions:

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep
      key: id
      pattern: ^bigquery.

Allow requesting any permissions except compute.instances.delete

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: remove
      key: id
      pattern: ^compute.instances.delete$

Filtering role requests

To filter on permission requests, we can use the role access-type. There is a single available key, id, which refers to the role ID (list available in Google's docs here). Note that this is the ID that is prefixed with roles/

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>

Allow requesting only compute roles

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep
      key: id
      pattern: ^roles/compute.

Allow requesting any roles except the basic roles (viewer, editor, owner)

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: remove
      key: id
      pattern: ^roles/editor$|^roles/viewer$|^roles/owner$

Filtering resource requests

To filter on permission requests, we can use the resource access-type. There are 3 available keys:

  • name: This is the name of the resource.

  • type: This is the type of the resource. The available values for type are below:

Resource type"type" value

BigQuery Dataset

dataset

BigQuery Table

table

Compute Zone

zone

Compute Instance

instance

IAM Service Account

serviceaccount

Cloud Storage Bucket

bucket

Cloud Storage Object

object

  • full-resource-name: This is the Google API full resource name, including the service, type, and name. Available formats for the full-resource-name are below.

Resource type"type" value

BigQuery Dataset

//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME

BigQuery Table

//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME/tables/TABLE_NAME

Compute Zone

//compute.googleapis.com/zones/ZONE_NAME

Compute Instance

//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/INSTANCE_NAME

IAM Service Account

//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL

Cloud Storage Bucket

//storage.googleapis.com/BUCKET_NAME

Cloud Storage Object

//storage.googleapis.com/BUCKET_NAME/objects/OBJECT_PATH

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep|remove|removeAll
      key: name|type|full-resource-name
      pattern: <regex pattern>

Allow requesting only the Bigquery Dataset "customer-data" in project "test"

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//bigquery.googleapis.com/projects/test/datasets/customer-data$

Allow requesting any Cloud Storage bucket:

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: type
      pattern: ^bucket$

Allow requesting any resource with "application-1" in the name

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: name
      pattern: application-1

Allow requesting any resource except compute instances with names starting with "prod" in project "test" and zone "us-west1-a"

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: remove
      key: full-resource-name
      pattern: ^//compute.googleapis.com/projects/test/zones/us-west1-a/instances/prod 

Allow requesting only Cloud Storage buckets with names starting with dev

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//storage.googleapis.com/dev

Last updated