ServicePerimeter

ServicePerimeter describes a set of Google Cloud resources which can freely import and export data amongst themselves, but not export outside of the ServicePerimeter. If a request with a source within this ServicePerimeter has a target outside of the ServicePerimeter, the request will be blocked. Otherwise the request is allowed. There are two types of Service Perimeter - Regular and Bridge. Regular Service Perimeters cannot overlap, a single Google Cloud project can only belong to a single regular Service Perimeter. Service Perimeter Bridges can contain only Google Cloud projects as members, a single Google Cloud project may belong to multiple Service Perimeter Bridges.

JSON representation
{
  "name": string,
  "title": string,
  "description": string,
  "perimeterType": enum (PerimeterType),
  "status": {
    object (ServicePerimeterConfig)
  },
  "spec": {
    object (ServicePerimeterConfig)
  },
  "useExplicitDryRunSpec": boolean
}
Fields
name

string

Required. Resource name for the ServicePerimeter. The shortName component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{policyId}/servicePerimeters/{shortName}

title

string

Human readable title. Must be unique within the Policy.

description

string

description of the ServicePerimeter and its use. Does not affect behavior.

perimeterType

enum (PerimeterType)

Perimeter type indicator. A single project is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty.

status

object (ServicePerimeterConfig)

Current ServicePerimeter configuration. Specifies sets of resources, restricted services and access levels that determine perimeter content and boundaries.

spec

object (ServicePerimeterConfig)

Proposed (or dry run) ServicePerimeter configuration. This configuration allows to specify and test ServicePerimeter configuration without enforcing actual access restrictions. Only allowed to be set when the "useExplicitDryRunSpec" flag is set.

useExplicitDryRunSpec

boolean

Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. useExplicitDryRunSpec must bet set to True if any of the fields in the spec are set to non-default values.

ServicePerimeterConfig

ServicePerimeterConfig specifies a set of Google Cloud resources that describe specific Service Perimeter configuration.

JSON representation
{
  "resources": [
    string
  ],
  "accessLevels": [
    string
  ],
  "restrictedServices": [
    string
  ],
  "vpcAccessibleServices": {
    object (VpcAccessibleServices)
  },
  "ingressPolicies": [
    {
      object (IngressPolicy)
    }
  ],
  "egressPolicies": [
    {
      object (EgressPolicy)
    }
  ]
}
Fields
resources[]

string

A list of Google Cloud resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{projectNumber}

accessLevels[]

string

A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty.

restrictedServices[]

string

Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions.

vpcAccessibleServices

object (VpcAccessibleServices)

Configuration for APIs allowed within Perimeter.

ingressPolicies[]

object (IngressPolicy)

globalOperations.list of IngressPolicies to apply to the perimeter. A perimeter may have multiple IngressPolicies, each of which is evaluated separately. Access is granted if any Ingress Policy grants it. Must be empty for a perimeter bridge.

egressPolicies[]

object (EgressPolicy)

globalOperations.list of EgressPolicies to apply to the perimeter. A perimeter may have multiple EgressPolicies, each of which is evaluated separately. Access is granted if any EgressPolicy grants it. Must be empty for a perimeter bridge.

VpcAccessibleServices

Specifies how APIs are allowed to communicate within the Service Perimeter.

JSON representation
{
  "enableRestriction": boolean,
  "allowedServices": [
    string
  ]
}
Fields
enableRestriction

boolean

Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowedServices'.

allowedServices[]

string

The list of APIs usable within the Service Perimeter. Must be empty unless 'enableRestriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter.

IngressPolicy

Policy for ingress into ServicePerimeter.

IngressPolicies match requests based on ingressFrom and ingressTo stanzas. For an ingress policy to match, both the ingressFrom and ingressTo stanzas must be matched. If an IngressPolicy matches a request, the request is allowed through the perimeter boundary from outside the perimeter.

For example, access from the internet can be allowed either based on an AccessLevel or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required.

Individual ingress policies can be limited by restricting which services and/or actions they match using the ingressTo field.

JSON representation
{
  "ingressFrom": {
    object (IngressFrom)
  },
  "ingressTo": {
    object (IngressTo)
  }
}
Fields
ingressFrom

object (IngressFrom)

Defines the conditions on the source of a request causing this IngressPolicy to apply.

ingressTo

object (IngressTo)

Defines the conditions on the ApiOperation and request destination that cause this IngressPolicy to apply.

IngressFrom

Defines the conditions under which an IngressPolicy matches a request. Conditions are based on information about the source of the request.

JSON representation
{
  "sources": [
    {
      object (IngressSource)
    }
  ],
  "identities": [
    string
  ],
  "identityType": enum (IdentityType)
}
Fields
sources[]

object (IngressSource)

Sources that this IngressPolicy authorizes access from.

identities[]

string

A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only.

identityType

enum (IdentityType)

Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access.

IngressSource

The source that IngressPolicy authorizes access from.

JSON representation
{

  // Union field source can be only one of the following:
  "accessLevel": string,
  "resource": string
  // End of list of possible types for union field source.
}
Fields
Union field source. Allowed ingress source. It can be one of AccessLevel or Google Cloud resource. source can be only one of the following:
accessLevel

string

An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If * is specified, then all IngressSources will be allowed.

resource

string

A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format: projects/{projectNumber} The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported.

IngressTo

Defines the conditions under which an IngressPolicy matches a request. Conditions are based on information about the ApiOperation intended to be performed on the destination of the request.

JSON representation
{
  "operations": [
    {
      object (ApiOperation)
    }
  ],
  "resources": [
    string
  ]
}
Fields
operations[]

object (ApiOperation)

A list of ApiOperations the sources specified in corresponding IngressFrom are allowed to perform in this ServicePerimeter.

resources[]

string

A list of resources, currently only projects in the form projects/<projectnumber>, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this IngressTo rule will authorize access to all resources inside the perimeter, provided that the request also matches the operations field.

ApiOperation

Identification for an API Operation.

JSON representation
{
  "serviceName": string,
  "methodSelectors": [
    {
      object (MethodSelector)
    }
  ]
}
Fields
serviceName

string

The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services.

methodSelectors[]

object (MethodSelector)

API methods or permissions to allow. Method or permission must belong to the service specified by serviceName field. A single MethodSelector entry with * specified for the method field will allow all methods AND permissions for the service specified in serviceName.

MethodSelector

An allowed method or permission of a service specified in ApiOperation.

JSON representation
{

  // Union field kind can be only one of the following:
  "method": string,
  "permission": string
  // End of list of possible types for union field kind.
}
Fields
Union field kind. The API method name or Cloud IAM permission name to allow. kind can be only one of the following:
method

string

value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed.

permission

string

value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation.

EgressPolicy

Policy for egress from perimeter.

EgressPolicies match requests based on egressFrom and egressTo stanzas. For an EgressPolicy to match, both egressFrom and egressTo stanzas must be matched. If an EgressPolicy matches a request, the request is allowed to span the ServicePerimeter boundary. For example, an EgressPolicy can be used to allow VMs on networks within the ServicePerimeter to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset).

EgressPolicies are concerned with the resources that a request relates as well as the API services and API actions being used. They do not related to the direction of data movement. More detailed documentation for this concept can be found in the descriptions of EgressFrom and EgressTo.

JSON representation
{
  "egressFrom": {
    object (EgressFrom)
  },
  "egressTo": {
    object (EgressTo)
  }
}
Fields
egressFrom

object (EgressFrom)

Defines conditions on the source of a request causing this EgressPolicy to apply.

egressTo

object (EgressTo)

Defines the conditions on the ApiOperation and destination resources that cause this EgressPolicy to apply.

EgressFrom

Defines the conditions under which an EgressPolicy matches a request. Conditions based on information about the source of the request. Note that if the destination of the request is protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed.

JSON representation
{
  "identities": [
    string
  ],
  "identityType": enum (IdentityType)
}
Fields
identities[]

string

A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only.

identityType

enum (IdentityType)

Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access.

EgressTo

Defines the conditions under which an EgressPolicy matches a request. Conditions are based on information about the ApiOperation intended to be performed on the resources specified. Note that if the destination of the request is protected by a ServicePerimeter, then that ServicePerimeter must have an IngressPolicy which allows access in order for this request to succeed.

JSON representation
{
  "resources": [
    string
  ],
  "operations": [
    {
      object (ApiOperation)
    }
  ]
}
Fields
resources[]

string

A list of resources, currently only projects in the form projects/<projectnumber>, that match this to stanza. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter.

operations[]

object (ApiOperation)

A list of ApiOperations that this egress rule applies to. A request matches if it contains an operation/service in this list.