I would like to filter the resources available for a user based on their name. So I tried to use GCP IAM Role conditions.
But the only function which seems to be available on resource.name are startsWith(), endsWith() or extract(), saying the linter and the example I found. In the CEL language definition (https://github.com/google/cel-spec/blob/master/doc/langdef.md) contains() or matches() exists but I cannot use it in GCP console, the linter refuse it.
To be clear on the context the same project holds resources for production and non production environments and I would like to give rights to people without giving them access to production ones. The production resources are named with a pattern -prod-.
Is there another way to set an IAM Role condition based on part of resources name?
If we look at the reference documentation for IAM conditions ... specifically the attribute references found here:
https://cloud.google.com/iam/docs/conditions-attribute-reference
we find that for each entry, there is a set of "supported operators". It appears that only those operators are the ones supported.
For example, if we look at the resource.name attribute we see that it lists:
What this seems to tell me is that the operators are explicitly defined and it isn't just the linter but the actual spec that is restricting what can be done. Best we can likely do is raise a feature request with Google for some future enhancement.