Google Cloud Filtering

We'll go through all the available access-types for Google Cloud request filtering.

Filtering permission requests

To filter on permission requests, we can use the permission access-type. There is a single available key, id, which refers to the permission ID (list available in Google's docs here)

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>

Allow requesting only bigquery permissions:

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep
      key: id
      pattern: ^bigquery.

Allow requesting any permissions except compute.instances.delete

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: remove
      key: id
      pattern: ^compute.instances.delete$

Filtering role requests

To filter on permission requests, we can use the role access-type. There is a single available key, id, which refers to the role ID (list available in Google's docs here). Note that this is the ID that is prefixed with roles/

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>

Allow requesting only compute roles

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep
      key: id
      pattern: ^roles/compute.

Allow requesting any roles except the basic roles (viewer, editor, owner)

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: remove
      key: id
      pattern: ^roles/editor$|^roles/viewer$|^roles/owner$

Filtering resource requests

To filter on permission requests, we can use the resource access-type. There are 3 available keys:

name: This is the name of the resource.
type: This is the type of the resource. The available values for type are below:

Resource type "type" value

Resource type	"type" value
BigQuery Dataset	`dataset`
BigQuery Table	`table`
Compute Zone	`zone`
Compute Instance	`instance`
IAM Service Account	`serviceaccount`
Cloud Storage Bucket	`bucket`
Cloud Storage Object	`object`

BigQuery Dataset

dataset

BigQuery Table

table

Compute Zone

zone

Compute Instance

instance

IAM Service Account

serviceaccount

Cloud Storage Bucket

bucket

Cloud Storage Object

object

full-resource-name: This is the Google API full resource name, including the service, type, and name. Available formats for the full-resource-name are below.

Resource type "type" value

Resource type	"type" value
BigQuery Dataset	`//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME`
BigQuery Table	`//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME/tables/TABLE_NAME`
Compute Zone	`//compute.googleapis.com/zones/ZONE_NAME`
Compute Instance	`//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/INSTANCE_NAME`
IAM Service Account	`//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL`
Cloud Storage Bucket	`//storage.googleapis.com/BUCKET_NAME`
Cloud Storage Object	`//storage.googleapis.com/BUCKET_NAME/objects/OBJECT_PATH`

BigQuery Dataset

//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME

BigQuery Table

//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME/tables/TABLE_NAME

Compute Zone

//compute.googleapis.com/zones/ZONE_NAME

Compute Instance

//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/INSTANCE_NAME

IAM Service Account

//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL

Cloud Storage Bucket

//storage.googleapis.com/BUCKET_NAME

Cloud Storage Object

//storage.googleapis.com/BUCKET_NAME/objects/OBJECT_PATH

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep|remove|removeAll
      key: name|type|full-resource-name
      pattern: <regex pattern>

Allow requesting only the Bigquery Dataset "customer-data" in project "test"

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//bigquery.googleapis.com/projects/test/datasets/customer-data$

Allow requesting any Cloud Storage bucket:

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: type
      pattern: ^bucket$

Allow requesting any resource with "application-1" in the name

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: name
      pattern: application-1

Allow requesting any resource except compute instances with names starting with "prod" in project "test" and zone "us-west1-a"

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: remove
      key: full-resource-name
      pattern: ^//compute.googleapis.com/projects/test/zones/us-west1-a/instances/prod

Allow requesting only Cloud Storage buckets with names starting with dev

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//storage.googleapis.com/dev

PreviousRequest Routing NextAWS Filtering

Last updated 7 months ago