The gcp:chronicle/dataAccessScope:DataAccessScope resource, part of the Pulumi GCP provider, defines access control rules that restrict which Chronicle data users can query based on labels. This guide focuses on three capabilities: log type filtering, custom label and namespace scoping, and inverted access with allowAll and denials.
Data access scopes reference a Chronicle instance and may depend on DataAccessLabel resources, asset namespaces, or ingestion labels that must exist separately. The examples are intentionally small. Combine them with your own user assignments and label definitions.
Restrict access by log type
Security teams often grant analysts access to specific log sources without exposing all Chronicle data.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [
{
logType: "GCP_CLOUDAUDIT",
},
{
logType: "GITHUB",
},
],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[
{
"log_type": "GCP_CLOUDAUDIT",
},
{
"log_type": "GITHUB",
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
LogType: pulumi.String("GCP_CLOUDAUDIT"),
},
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
LogType: pulumi.String("GITHUB"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
LogType = "GCP_CLOUDAUDIT",
},
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
LogType = "GITHUB",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(
DataAccessScopeAllowedDataAccessLabelArgs.builder()
.logType("GCP_CLOUDAUDIT")
.build(),
DataAccessScopeAllowedDataAccessLabelArgs.builder()
.logType("GITHUB")
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- logType: GCP_CLOUDAUDIT
- logType: GITHUB
The allowedDataAccessLabels array defines which data the scope permits. Each entry with a logType property grants access to all logs from that source. Chronicle evaluates allowed labels with OR logic: users see data matching any allowed label. Here, users can query GCP Cloud Audit or GitHub logs.
Filter by custom data access labels
Organizations with complex requirements can define custom labels based on UDM queries, then reference those labels in scopes.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customDataAccessLabel = new gcp.chronicle.DataAccessLabel("custom_data_access_label", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessLabelId: "label-id",
udmQuery: "principal.hostname=\"google.com\"",
});
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
dataAccessLabel: googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId,
}],
});
import pulumi
import pulumi_gcp as gcp
custom_data_access_label = gcp.chronicle.DataAccessLabel("custom_data_access_label",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_label_id="label-id",
udm_query="principal.hostname=\"google.com\"")
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"data_access_label": google_chronicle_data_access_label["customDataAccessLabel"]["dataAccessLabelId"],
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessLabel(ctx, "custom_data_access_label", &chronicle.DataAccessLabelArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessLabelId: pulumi.String("label-id"),
UdmQuery: pulumi.String("principal.hostname=\"google.com\""),
})
if err != nil {
return err
}
_, err = chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
DataAccessLabel: pulumi.Any(googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customDataAccessLabel = new Gcp.Chronicle.DataAccessLabel("custom_data_access_label", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessLabelId = "label-id",
UdmQuery = "principal.hostname=\"google.com\"",
});
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
DataAccessLabel = googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessLabel;
import com.pulumi.gcp.chronicle.DataAccessLabelArgs;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customDataAccessLabel = new DataAccessLabel("customDataAccessLabel", DataAccessLabelArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessLabelId("label-id")
.udmQuery("principal.hostname=\"google.com\"")
.build());
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.dataAccessLabel(googleChronicleDataAccessLabel.customDataAccessLabel().dataAccessLabelId())
.build())
.build());
}
}
resources:
customDataAccessLabel:
type: gcp:chronicle:DataAccessLabel
name: custom_data_access_label
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessLabelId: label-id
udmQuery: principal.hostname="google.com"
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- dataAccessLabel: ${googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId}
Custom labels let you filter by arbitrary UDM query criteria. The dataAccessLabel property references a DataAccessLabel resource by ID. That resource defines the UDM query (e.g., principal.hostname="google.com"). Users with this scope see only data matching the custom label’s query.
Scope access by asset namespace
Asset namespaces organize entities and context data in Chronicle. Teams can restrict access to specific namespaces to isolate visibility.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
assetNamespace: "my-namespace",
}],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"asset_namespace": "my-namespace",
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
AssetNamespace: pulumi.String("my-namespace"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
AssetNamespace = "my-namespace",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.assetNamespace("my-namespace")
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- assetNamespace: my-namespace
The assetNamespace property grants access to all assets in a named namespace. This is useful for isolating visibility by business unit or environment. Users see only assets tagged with the specified namespace.
Filter by ingestion metadata
Data ingestion pipelines can tag incoming logs with key-value labels. Scopes can reference these labels to grant access based on how data entered Chronicle.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowedDataAccessLabels: [{
ingestionLabel: {
ingestionLabelKey: "ingestion_key",
ingestionLabelValue: "ingestion_value",
},
}],
});
import pulumi
import pulumi_gcp as gcp
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allowed_data_access_labels=[{
"ingestion_label": {
"ingestion_label_key": "ingestion_key",
"ingestion_label_value": "ingestion_value",
},
}])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowedDataAccessLabels: chronicle.DataAccessScopeAllowedDataAccessLabelArray{
&chronicle.DataAccessScopeAllowedDataAccessLabelArgs{
IngestionLabel: &chronicle.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs{
IngestionLabelKey: pulumi.String("ingestion_key"),
IngestionLabelValue: pulumi.String("ingestion_value"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelArgs
{
IngestionLabel = new Gcp.Chronicle.Inputs.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs
{
IngestionLabelKey = "ingestion_key",
IngestionLabelValue = "ingestion_value",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowedDataAccessLabels(DataAccessScopeAllowedDataAccessLabelArgs.builder()
.ingestionLabel(DataAccessScopeAllowedDataAccessLabelIngestionLabelArgs.builder()
.ingestionLabelKey("ingestion_key")
.ingestionLabelValue("ingestion_value")
.build())
.build())
.build());
}
}
resources:
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowedDataAccessLabels:
- ingestionLabel:
ingestionLabelKey: ingestion_key
ingestionLabelValue: ingestion_value
The ingestionLabel property filters by metadata applied during ingestion. The ingestionLabelKey and ingestionLabelValue properties define the key-value pair to match. Users see only data tagged with this label during ingestion.
Grant broad access with specific exclusions
Some roles need access to most data with targeted restrictions. The allowAll property combined with denied labels creates an inverted access model.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customDataAccessLabel = new gcp.chronicle.DataAccessLabel("custom_data_access_label", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessLabelId: "label-id",
udmQuery: "principal.hostname=\"google.com\"",
});
const example = new gcp.chronicle.DataAccessScope("example", {
location: "us",
instance: "00000000-0000-0000-0000-000000000000",
dataAccessScopeId: "scope-id",
description: "scope-description",
allowAll: true,
deniedDataAccessLabels: [
{
logType: "GCP_CLOUDAUDIT",
},
{
dataAccessLabel: googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId,
},
{
ingestionLabel: {
ingestionLabelKey: "ingestion_key",
ingestionLabelValue: "ingestion_value",
},
},
{
assetNamespace: "my-namespace",
},
],
});
import pulumi
import pulumi_gcp as gcp
custom_data_access_label = gcp.chronicle.DataAccessLabel("custom_data_access_label",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_label_id="label-id",
udm_query="principal.hostname=\"google.com\"")
example = gcp.chronicle.DataAccessScope("example",
location="us",
instance="00000000-0000-0000-0000-000000000000",
data_access_scope_id="scope-id",
description="scope-description",
allow_all=True,
denied_data_access_labels=[
{
"log_type": "GCP_CLOUDAUDIT",
},
{
"data_access_label": google_chronicle_data_access_label["customDataAccessLabel"]["dataAccessLabelId"],
},
{
"ingestion_label": {
"ingestion_label_key": "ingestion_key",
"ingestion_label_value": "ingestion_value",
},
},
{
"asset_namespace": "my-namespace",
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/chronicle"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := chronicle.NewDataAccessLabel(ctx, "custom_data_access_label", &chronicle.DataAccessLabelArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessLabelId: pulumi.String("label-id"),
UdmQuery: pulumi.String("principal.hostname=\"google.com\""),
})
if err != nil {
return err
}
_, err = chronicle.NewDataAccessScope(ctx, "example", &chronicle.DataAccessScopeArgs{
Location: pulumi.String("us"),
Instance: pulumi.String("00000000-0000-0000-0000-000000000000"),
DataAccessScopeId: pulumi.String("scope-id"),
Description: pulumi.String("scope-description"),
AllowAll: pulumi.Bool(true),
DeniedDataAccessLabels: chronicle.DataAccessScopeDeniedDataAccessLabelArray{
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
LogType: pulumi.String("GCP_CLOUDAUDIT"),
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
DataAccessLabel: pulumi.Any(googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId),
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
IngestionLabel: &chronicle.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs{
IngestionLabelKey: pulumi.String("ingestion_key"),
IngestionLabelValue: pulumi.String("ingestion_value"),
},
},
&chronicle.DataAccessScopeDeniedDataAccessLabelArgs{
AssetNamespace: pulumi.String("my-namespace"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customDataAccessLabel = new Gcp.Chronicle.DataAccessLabel("custom_data_access_label", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessLabelId = "label-id",
UdmQuery = "principal.hostname=\"google.com\"",
});
var example = new Gcp.Chronicle.DataAccessScope("example", new()
{
Location = "us",
Instance = "00000000-0000-0000-0000-000000000000",
DataAccessScopeId = "scope-id",
Description = "scope-description",
AllowAll = true,
DeniedDataAccessLabels = new[]
{
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
LogType = "GCP_CLOUDAUDIT",
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
DataAccessLabel = googleChronicleDataAccessLabel.CustomDataAccessLabel.DataAccessLabelId,
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
IngestionLabel = new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs
{
IngestionLabelKey = "ingestion_key",
IngestionLabelValue = "ingestion_value",
},
},
new Gcp.Chronicle.Inputs.DataAccessScopeDeniedDataAccessLabelArgs
{
AssetNamespace = "my-namespace",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.chronicle.DataAccessLabel;
import com.pulumi.gcp.chronicle.DataAccessLabelArgs;
import com.pulumi.gcp.chronicle.DataAccessScope;
import com.pulumi.gcp.chronicle.DataAccessScopeArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeDeniedDataAccessLabelArgs;
import com.pulumi.gcp.chronicle.inputs.DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customDataAccessLabel = new DataAccessLabel("customDataAccessLabel", DataAccessLabelArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessLabelId("label-id")
.udmQuery("principal.hostname=\"google.com\"")
.build());
var example = new DataAccessScope("example", DataAccessScopeArgs.builder()
.location("us")
.instance("00000000-0000-0000-0000-000000000000")
.dataAccessScopeId("scope-id")
.description("scope-description")
.allowAll(true)
.deniedDataAccessLabels(
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.logType("GCP_CLOUDAUDIT")
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.dataAccessLabel(googleChronicleDataAccessLabel.customDataAccessLabel().dataAccessLabelId())
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.ingestionLabel(DataAccessScopeDeniedDataAccessLabelIngestionLabelArgs.builder()
.ingestionLabelKey("ingestion_key")
.ingestionLabelValue("ingestion_value")
.build())
.build(),
DataAccessScopeDeniedDataAccessLabelArgs.builder()
.assetNamespace("my-namespace")
.build())
.build());
}
}
resources:
customDataAccessLabel:
type: gcp:chronicle:DataAccessLabel
name: custom_data_access_label
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessLabelId: label-id
udmQuery: principal.hostname="google.com"
example:
type: gcp:chronicle:DataAccessScope
properties:
location: us
instance: 00000000-0000-0000-0000-000000000000
dataAccessScopeId: scope-id
description: scope-description
allowAll: true
deniedDataAccessLabels:
- logType: GCP_CLOUDAUDIT
- dataAccessLabel: ${googleChronicleDataAccessLabel.customDataAccessLabel.dataAccessLabelId}
- ingestionLabel:
ingestionLabelKey: ingestion_key
ingestionLabelValue: ingestion_value
- assetNamespace: my-namespace
Setting allowAll to true grants access to all data by default. The deniedDataAccessLabels array then excludes specific labels. Chronicle evaluates denied labels with AND logic: users cannot see data matching all denied labels. This example blocks GCP Cloud Audit logs, data matching a custom label, data with specific ingestion labels, and assets in a namespace. The allowAll and allowedDataAccessLabels properties are mutually exclusive; use one or the other.
Beyond these examples
These snippets focus on specific data access scope features: log type and custom label filtering, asset namespace and ingestion label scoping, and allow-all with exclusions. They’re intentionally minimal rather than full access control systems.
The examples may reference pre-existing infrastructure such as Chronicle instances, DataAccessLabel resources for custom label examples, and asset namespaces and ingestion labels for relevant examples. They focus on configuring the scope rather than provisioning everything around it.
To keep things focused, common scope patterns are omitted, including:
- Combining multiple label types in a single scope
- Scope assignment to users or groups
- Scope lifecycle management (updates, deletions)
- Boolean expressions combining allowed and denied labels
These omissions are intentional: the goal is to illustrate how each scope feature is wired, not provide drop-in access control modules. See the Chronicle DataAccessScope resource reference for all available configuration options.
Let's configure GCP Chronicle Data Access Scopes
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Label Types
What's the difference between allowAll and allowedDataAccessLabels?
These properties are mutually exclusive; you must provide one or the other. Use
allowAll: true to grant access to all data, or specify allowedDataAccessLabels to restrict access to specific labels.What types of data access labels can I use in a scope?
You can use four label types:
logType (e.g., GCP_CLOUDAUDIT), dataAccessLabel (references a custom label ID), assetNamespace, and ingestionLabel (key-value pairs like ingestionLabelKey and ingestionLabelValue).How do I reference a custom data access label in my scope?
Create a
gcp.chronicle.DataAccessLabel resource first, then reference its dataAccessLabelId in the scope’s allowedDataAccessLabels or deniedDataAccessLabels.Access Control Logic
How do multiple allowed labels work together?
Allowed labels use OR logic. A scope with allowed labels A and B grants access to data labeled A, data labeled B, or data labeled with both A and B.
How do multiple denied labels work together?
Denied labels use AND logic. A scope with denied labels A and B blocks access to data labeled A, data labeled B, and data labeled with both A and B.
Can I use allowAll with denied labels?
Yes,
deniedDataAccessLabels can be combined with allowAll to grant access to all data except those matching the denied labels.Resource Management
What properties can't I change after creating a data access scope?
The
dataAccessScopeId, instance, location, and project properties are immutable and cannot be changed after creation.What formats can I use to import an existing data access scope?
You can import using three formats: the full resource path (
projects/{{project}}/locations/{{location}}/instances/{{instance}}/dataAccessScopes/{{data_access_scope_id}}), project-relative ({{project}}/{{location}}/{{instance}}/{{data_access_scope_id}}), or location-relative ({{location}}/{{instance}}/{{data_access_scope_id}}).