The gcp:chronicle/dataAccessScope:DataAccessScope resource, part of the Pulumi GCP provider, defines access control rules that restrict which Chronicle data users can query based on labels. This guide focuses on four capabilities: log type filtering, custom label and namespace scoping, ingestion metadata filtering, and allow-all with exclusions.
Data access scopes reference Chronicle instances and may depend on DataAccessLabel resources, asset namespaces, or ingestion labels that must exist separately. The examples are intentionally small. Combine them with your own user assignments and label definitions.
Restrict access by log type
Security teams often need to grant analysts access to specific log sources without exposing all data in Chronicle.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [
{
logType: "GCP_CLOUDAUDIT",
},
{
logType: "GITHUB",
},
],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[
{
"log_type": "GCP_CLOUDAUDIT",
},
{
"log_type": "GITHUB",
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
LogType: pulumi.String("GCP_CLOUDAUDIT"),
},
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
LogType: pulumi.String("GITHUB"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
LogType = "GCP_CLOUDAUDIT",
},
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
LogType = "GITHUB",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(
DataAccessScopeAllowedDataAccessLabelArgs.builder()
.logType("GCP_CLOUDAUDIT")
.build(),
DataAccessScopeAllowedDataAccessLabelArgs.builder()
.logType("GITHUB")
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- logType: GCP_CLOUDAUDIT
- logType: GITHUB
The allowedDataAccessLabels array defines which data the scope permits. Each entry with a logType property grants access to all logs from that source. Chronicle evaluates allowed labels with OR logic: users see data matching any allowed label.
Filter by custom data access labels
Organizations with complex access requirements can define custom labels based on UDM queries, then reference those labels in scopes.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customDataAccessLabel = new gcp.chronicle.DataAccessLabel("custom_data_access_label", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessLabelId: "label-id",
udmQuery: "principal.hostname=\"google.com\"",
});
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
dataAccessLabel: googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId,
}],
});
import pulumi
import pulumi_gcp as gcp
custom_data_access_label = gcp.chronicle.DataAccessLabel("custom_data_access_label",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_label_id="label-id",
udm_query="principal.hostname=\"google.com\"")
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"data_access_label": google_chronicle_data_access_label["customDataAccessLabel"]["dataAccessLabelId"],
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessLabel(ctx, "custom_data_access_label", &chronicle.DataAccessLabelArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessLabelId: pulumi.String("label-id"),
UdmQuery: pulumi.String("principal.hostname=\"google.com\""),
})
if err != nil {
return err
}
_, err = chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
DataAccessLabel: pulumi.Any(googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customDataAccessLabel = new Gcp.Chronicle.DataAccessLabel("custom_data_access_label", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessLabelId = "label-id",
UdmQuery = "principal.hostname=\"google.com\"",
});
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
DataAccessLabel = googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessLabel;
import com.pulumi.gcp.chronicle.DataAccessLabelArgs;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customDataAccessLabel = new DataAccessLabel("customDataAccessLabel", DataAccessLabelArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessLabelId("label-id")
.udmQuery("principal.hostname=\"google.com\"")
.build());
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.dataAccessLabel(googleChronicleDataAccessLabel.customDataAccessLabel().dataAccessLabelId())
.build())
.build());
}
}
resources:
customDataAccessLabel:
type: gcp:chronicle:DataAccessLabel
name: custom_data_access_label
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessLabelId: label-id
udmQuery: principal.hostname="google.com"
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- dataAccessLabel: ${googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId}
The dataAccessLabel property references a DataAccessLabel resource by its ID. That resource defines a UDM query (e.g., principal.hostname="google.com"), and the scope grants access to data matching that query. This extends basic log type filtering with query-based criteria.
Scope access by asset namespace
Asset namespaces organize Chronicle data by business unit, environment, or other organizational boundaries.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
assetNamespace: "my-namespace",
}],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"asset_namespace": "my-namespace",
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
AssetNamespace: pulumi.String("my-namespace"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
AssetNamespace = "my-namespace",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.assetNamespace("my-namespace")
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- assetNamespace: my-namespace
The assetNamespace property restricts visibility to assets within a specific namespace. This provides organizational segmentation without requiring custom UDM queries.
Filter by ingestion metadata
Data ingestion pipelines can tag incoming logs with key-value labels for access control.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
ingestionLabel: {
ingestionLabelKey: "ingestion_key",
ingestionLabelValue: "ingestion_value",
},
}],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"ingestion_label": {
"ingestion_label_key": "ingestion_key",
"ingestion_label_value": "ingestion_value",
},
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
IngestionLabel: &chronicle.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs{
IngestionLabelKey: pulumi.String("ingestion_key"),
IngestionLabelValue: pulumi.String("ingestion_value"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
IngestionLabel = new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs
{
IngestionLabelKey = "ingestion_key",
IngestionLabelValue = "ingestion_value",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.ingestionLabel(DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs.builder()
.ingestionLabelKey("ingestion_key")
.ingestionLabelValue("ingestion_value")
.build())
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- ingestionLabel:
ingestionLabelKey: ingestion_key
ingestionLabelValue: ingestion_value
The ingestionLabel property matches data tagged during ingestion. Both ingestionLabelKey and ingestionLabelValue must match for access to be granted. This enables access control based on pipeline metadata.
Grant broad access with specific exclusions
Some access patterns require granting access to most data while explicitly blocking sensitive categories.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customDataAccessLabel = new gcp.chronicle.DataAccessLabel("custom_data_access_label", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessLabelId: "label-id",
udmQuery: "principal.hostname=\"google.com\"",
});
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowAll: true,
deniedDataAccessLabels: [
{
logType: "GCP_CLOUDAUDIT",
},
{
dataAccessLabel: googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId,
},
{
ingestionLabel: {
ingestionLabelKey: "ingestion_key",
ingestionLabelValue: "ingestion_value",
},
},
{
assetNamespace: "my-namespace",
},
],
});
import pulumi
import pulumi_gcp as gcp
custom_data_access_label = gcp.chronicle.DataAccessLabel("custom_data_access_label",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_label_id="label-id",
udm_query="principal.hostname=\"google.com\"")
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allow_all=True,
denied_data_access_labels=[
{
"log_type": "GCP_CLOUDAUDIT",
},
{
"data_access_label": google_chronicle_data_access_label["customDataAccessLabel"]["dataAccessLabelId"],
},
{
"ingestion_label": {
"ingestion_label_key": "ingestion_key",
"ingestion_label_value": "ingestion_value",
},
},
{
"asset_namespace": "my-namespace",
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessLabel(ctx, "custom_data_access_label", &chronicle.DataAccessLabelArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessLabelId: pulumi.String("label-id"),
UdmQuery: pulumi.String("principal.hostname=\"google.com\""),
})
if err != nil {
return err
}
_, err = chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowAll: pulumi.Bool(true),
DeniedDataAccessLabels: chronicle.DataAccessScopeDeniedDataAccessLabelArray{
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
LogType: pulumi.String("GCP_CLOUDAUDIT"),
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
DataAccessLabel: pulumi.Any(googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId),
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
IngestionLabel: &chronicle.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs{
IngestionLabelKey: pulumi.String("ingestion_key"),
IngestionLabelValue: pulumi.String("ingestion_value"),
},
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
AssetNamespace: pulumi.String("my-namespace"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customDataAccessLabel = new Gcp.Chronicle.DataAccessLabel("custom_data_access_label", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessLabelId = "label-id",
UdmQuery = "principal.hostname=\"google.com\"",
});
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowAll = true,
DeniedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
LogType = "GCP_CLOUDAUDIT",
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
DataAccessLabel = googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId,
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
IngestionLabel = new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs
{
IngestionLabelKey = "ingestion_key",
IngestionLabelValue = "ingestion_value",
},
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
AssetNamespace = "my-namespace",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessLabel;
import com.pulumi.gcp.chronicle.DataAccessLabelArgs;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeDeniedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customDataAccessLabel = new DataAccessLabel("customDataAccessLabel", DataAccessLabelArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessLabelId("label-id")
.udmQuery("principal.hostname=\"google.com\"")
.build());
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowAll(true)
.deniedDataAccessLabels(
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.logType("GCP_CLOUDAUDIT")
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.dataAccessLabel(googleChronicleDataAccessLabel.customDataAccessLabel().dataAccessLabelId())
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.ingestionLabel(DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs.builder()
.ingestionLabelKey("ingestion_key")
.ingestionLabelValue("ingestion_value")
.build())
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.assetNamespace("my-namespace")
.build())
.build());
}
}
resources:
customDataAccessLabel:
type: gcp:chronicle:DataAccessLabel
name: custom_data_access_label
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessLabelId: label-id
udmQuery: principal.hostname="google.com"
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowAll: true
deniedDataAccessLabels:
- logType: GCP_CLOUDAUDIT
- dataAccessLabel: ${googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId}
- ingestionLabel:
ingestionLabelKey: ingestion_key
ingestionLabelValue: ingestion_value
- assetNamespace: my-namespace
The allowAll property grants access to all data, while deniedDataAccessLabels blocks specific categories. Chronicle evaluates denied labels with AND logic: users cannot see data matching all denied labels. This example blocks GCP Cloud Audit logs, data matching a custom label, specific ingestion labels, and a namespace. The pattern inverts the typical allow-list approach.
Beyond these examples
These snippets focus on specific data access scope features: log type and custom label filtering, asset namespace and ingestion label scoping, and allow-all with exclusions pattern. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Chronicle instances with valid instance IDs, DataAccessLabel resources for custom label examples, and asset namespaces and ingestion labels for relevant examples. They focus on configuring the scope rather than provisioning the entire access control system.
To keep things focused, common scope patterns are omitted, including:
- Combining multiple label types in a single scope
- Scope assignment to users or groups
- Scope lifecycle management (updates, deletion)
- Boolean expressions combining allowed and denied labels
These omissions are intentional: the goal is to illustrate how each scope feature is wired, not provide drop-in access control modules. See the Chronicle DataAccessScope resource reference for all available configuration options.
Let's configure GCP Chronicle Data Access Scopes
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Access Control
Can I use both allowAll and allowedDataAccessLabels?
No,
allowAll and allowedDataAccessLabels are mutually exclusive. You must specify one or the other, but not both.How do allowed and denied labels work together?
Allowed labels use OR logic (access granted if any match), while denied labels use AND logic (access blocked if all match). When
allowAll is combined with deniedDataAccessLabels, users can access all data except what’s explicitly denied.Can I use deniedDataAccessLabels with allowAll?
Yes,
deniedDataAccessLabels can be combined with allowAll to grant access to all data except specific labels. For example, denying labels A and B blocks access to data with both A and B.What happens if I specify multiple allowed labels?
Multiple allowed labels are evaluated with OR logic. Users can access data labeled with A, B, or both A and B if either label is in the allowed list.
Label Types & Options
What types of labels can I use in a data access scope?
You can use four label types:
- logType (e.g.,
GCP_CLOUDAUDIT,GITHUB) - dataAccessLabel (references a custom
DataAccessLabelresource) - assetNamespace (e.g.,
my-namespace) - ingestionLabel (key/value pair like
ingestion_key: ingestion_value)
How do I reference a custom data access label?
Create a
gcp.chronicle.DataAccessLabel resource first, then reference its dataAccessLabelId in the scope’s allowedDataAccessLabels or deniedDataAccessLabels.Resource Management
What properties can't be changed after creation?
The following properties are immutable:
dataAccessScopeId, instance, location, and project. Changing any of these requires recreating the resource.