Google Cloud Filtering

We'll go through all the available access-types for Google Cloud request filtering.

Filtering permission requests

To filter on permission requests, we can use the permission access-type. There is a single available key, id, which refers to the permission ID (list available in Google's docs here)

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>

Allow requesting only bigquery permissions:

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep
      key: id
      pattern: ^bigquery.

Allow requesting any permissions except compute.instances.delete

Filtering role requests

To filter on permission requests, we can use the role access-type. There is a single available key, id, which refers to the role ID (list available in Google's docs here). Note that this is the ID that is prefixed with roles/

Rule structure:

Allow requesting only compute roles

Allow requesting any roles except the basic roles (viewer, editor, owner)

Filtering resource requests

To filter on permission requests, we can use the resource access-type. There are 3 available keys:

• name: This is the name of the resource.

• type: This is the type of the resource. The available values for type are below:

• full-resource-name: This is the Google API full resource name, including the service, type, and name. Available formats for the full-resource-name are below.

Rule structure:

Allow requesting only the Bigquery Dataset "customer-data" in project "test"

Allow requesting any Cloud Storage bucket:

Allow requesting any resource with "application-1" in the name

Allow requesting any resource except compute instances with names starting with "prod" in project "test" and zone "us-west1-a"

Allow requesting only Cloud Storage buckets with names starting with dev