Google Cloud Filtering
We'll go through all the available access-types for Google Cloud request filtering.
Filtering permission requests
To filter on permission requests, we can use the permission
access-type. There is a single available key, id
, which refers to the permission ID (list available in Google's docs here)
Rule structure:
Allow requesting only bigquery permissions:
Allow requesting any permissions except compute.instances.delete
Filtering role requests
To filter on permission requests, we can use the role
access-type. There is a single available key, id
, which refers to the role ID (list available in Google's docs here). Note that this is the ID that is prefixed with roles/
Rule structure:
Allow requesting only compute roles
Allow requesting any roles except the basic roles (viewer, editor, owner)
Filtering resource requests
To filter on permission requests, we can use the resource
access-type. There are 3 available keys:
name
: This is the name of the resource.type
: This is the type of the resource. The available values fortype
are below:
full-resource-name
: This is the Google API full resource name, including the service, type, and name. Available formats for thefull-resource-name
are below.
Rule structure:
Allow requesting only the Bigquery Dataset "customer-data" in project "test"
Allow requesting any Cloud Storage bucket:
Allow requesting any resource with "application-1" in the name
Allow requesting any resource except compute instances with names starting with "prod" in project "test" and zone "us-west1-a"
Allow requesting only Cloud Storage buckets with names starting with dev
Last updated