P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Filtering permission requests
  • Filtering role requests
  • Filtering resource requests
  1. ORCHESTRATION
  2. Just-in-time access
  3. Request Routing

Google Cloud Filtering

PreviousRequest RoutingNextAWS Filtering

Last updated 1 year ago

We'll go through all the available access-types for Google Cloud request filtering.

Filtering permission requests

To filter on permission requests, we can use the permission access-type. There is a single available key, id, which refers to the permission ID (list available in Google's docs )

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>

Allow requesting only bigquery permissions:

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: keep
      key: id
      pattern: ^bigquery.

Allow requesting any permissions except compute.instances.delete

resource:
  type: integration
  service: gcloud
  filters:
    permission:
      effect: remove
      key: id
      pattern: ^compute.instances.delete$

Filtering role requests

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>

Allow requesting only compute roles

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: keep
      key: id
      pattern: ^roles/compute.

Allow requesting any roles except the basic roles (viewer, editor, owner)

resource:
  type: integration
  service: gcloud
  filters:
    role:
      effect: remove
      key: id
      pattern: ^roles/editor$|^roles/viewer$|^roles/owner$

Filtering resource requests

To filter on permission requests, we can use the resource access-type. There are 3 available keys:

  • name: This is the name of the resource.

  • type: This is the type of the resource. The available values for type are below:

Resource type
"type" value

BigQuery Dataset

dataset

BigQuery Table

table

Compute Zone

zone

Compute Instance

instance

IAM Service Account

serviceaccount

Cloud Storage Bucket

bucket

Cloud Storage Object

object

  • full-resource-name: This is the Google API full resource name, including the service, type, and name. Available formats for the full-resource-name are below.

Resource type
"type" value

BigQuery Dataset

//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME

BigQuery Table

//bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET_NAME/tables/TABLE_NAME

Compute Zone

//compute.googleapis.com/zones/ZONE_NAME

Compute Instance

//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/INSTANCE_NAME

IAM Service Account

//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL

Cloud Storage Bucket

//storage.googleapis.com/BUCKET_NAME

Cloud Storage Object

//storage.googleapis.com/BUCKET_NAME/objects/OBJECT_PATH

Rule structure:

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep|remove|removeAll
      key: name|type|full-resource-name
      pattern: <regex pattern>

Allow requesting only the Bigquery Dataset "customer-data" in project "test"

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//bigquery.googleapis.com/projects/test/datasets/customer-data$

Allow requesting any Cloud Storage bucket:

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: type
      pattern: ^bucket$

Allow requesting any resource with "application-1" in the name

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: name
      pattern: application-1

Allow requesting any resource except compute instances with names starting with "prod" in project "test" and zone "us-west1-a"

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: remove
      key: full-resource-name
      pattern: ^//compute.googleapis.com/projects/test/zones/us-west1-a/instances/prod 

Allow requesting only Cloud Storage buckets with names starting with dev

resource:
  type: integration
  service: gcloud
  filters:
    resource:
      effect: keep
      key: full-resource-name
      pattern: ^//storage.googleapis.com/dev

To filter on permission requests, we can use the role access-type. There is a single available key, id, which refers to the role ID (list available in Google's docs ). Note that this is the ID that is prefixed with roles/

⏰
πŸ”€
here
here