Reputation: 1096
GCP IAM Role condition based on part of resource name
I would like to filter the resources available for a user based on their name. So I tried to use GCP IAM Role conditions.
But the only function which seems to be available on resource.name are startsWith(), endsWith() or extract(), saying the linter and the example I found. In the CEL language definition (https://github.com/google/cel-spec/blob/master/doc/langdef.md) contains() or matches() exists but I cannot use it in GCP console, the linter refuse it.
To be clear on the context the same project holds resources for production and non production environments and I would like to give rights to people without giving them access to production ones. The production resources are named with a pattern -prod-.
Is there another way to set an IAM Role condition based on part of resources name?
Upvotes: 5
Views: 9097
Answers (2)
Reputation: 1524
According to the "Conditions Attribute Reference" doc, you can use a bang (!) to negate a condition, like in bash.
So what you're probably looking for is something like (but not exactly matching, you'll have to noodle with it):
! resource.name.extract('/instances/{name}/').startsWith('<beginning of your naming pattern>-prod-')
From the sound of things, you may need to chain multiple conditions together to make sure that all of your assets are addressed. For example, if you named your logical groupings after small animals:
! resource.name.extract('/instances/{name}/').startsWith('kittens-prod-') && ! resource.name.extract('/instances/{name}/').startsWith('hedgehogs-prod-')
You may also find some useful information in the "extract values" section of this other doc, "Configuring resource-based-access."
Upvotes: 4
Reputation: 15276
If we look at the reference documentation for IAM conditions ... specifically the attribute references found here:
https://cloud.google.com/iam/docs/conditions-attribute-reference
we find that for each entry, there is a set of "supported operators". It appears that only those operators are the ones supported.
For example, if we look at the resource.name attribute we see that it lists:
- startsWith
- endsWith
- extract
- ==
- !=
What this seems to tell me is that the operators are explicitly defined and it isn't just the linter but the actual spec that is restricting what can be done. Best we can likely do is raise a feature request with Google for some future enhancement.
Upvotes: 2
Related Questions
- Terraform GCP Assign IAM roles to service account
- GCP limit service account to have conditional access to a single instance
- IAM role condition not applying
- GCP Custom IAM role creation with Terraform
- Can I directly apply GCP's IAM policy to a Resource
- Google Cloud - permissions by resource Label or ID
- Cloud IAM conditions - How to limit instanceAdmin to a specific instance name only
- GCP: Generic routine to create IAM Policy Binding given a resource, member, and role
- Limiting access of a GCP Cloud IAM custom role only to a bucket
- GCP: List grantable roles per resource