CEL matcher language reference

Common Expression Language (CEL) is anopen source non-Turing complete language that implements common semantics forexpression evaluation. Secure Web Proxy uses a subset of CEL conditions to makeboolean authorization decisions based on attribute data. In general, a conditionexpression consists of one or more statements that are joined by logicaloperators (&&,||, or!). Each statement expresses an attribute-basedcontrol rule that applies to the role binding and ultimately determines whetheraccess is allowed.

Attributes

Use session attributes and application attributes while definingSecure Web Proxy policies to describe either the session attributes orthe application attributes that a policy applies to.

Session attributes, described bySessionMatcher, apply to session-specificattributes such as the source IP address, hosts, and IP range. Applicationattributes, described byApplicationMatcher, apply to application attributessuch as request headers, request method, and request path.

Attributes available toSessionMatcher andApplicationMatcher

The following table describes attributes that apply to bothSessionMatcher andApplicationMatcher.

AttributeAttribute typeDescription
source.ipstringIP address of the client that sent the request.
source.portintegerClient port that sent the request.
destination.portintegerUpstream port to which your Secure Web Proxy instance sends the traffic.
host()stringHost value used for DNS resolution and upstream connections.This doesn't include the port. The value of **host()** is determined by the following:
  • Raw HTTP requests: Host header
  • Proxy tunnel HTTP CONNECT requests: CONNECT target
source.matchTag(SECURE_TAG)boolean

True, if the source is associated withSECURE_TAG.

The argument is the permanent ID of the secure tag, such assource.matchTag('tagValues/123456').

source.matchServiceAccount(SERVICE_ACCOUNT)booleanTrue, if the source is associated withSERVICE_ACCOUNT, such assource.matchServiceAccount('x@my-project.iam.gserviceaccount.com').
inUrlList(HOST_OR_URL,NAMED_LIST)boolean

True, ifHOST_OR_URL is present in the provided named listNAMED_LIST. For example:

  • inUrlList(host(), 'projects/1234/locations/us-east1/urlLists/allowed-repos')
  • inUrlList(request.url(), 'projects/1234/locations/us-east1/urlLists/allowed-repos')

When aUrlList pattern is matched against values without a forward-slash (/), such as inhost(), only the domain portion of the pattern is matched. For more information, seeHowUrlList interprets entries.

inIpRange(IP_ADDRESS,
IP_RANGE)
booleanTrue, ifIP_ADDRESS is contained within theIP_RANGE, such asinIpRange(source.ip, '1.2.3.0/24'). Subnet masks for IPv6 addresses can't be larger than /64.

Attributes available only toApplicationMatcher

The following table describes attributes that apply only toApplicationMatcher.

AttributeAttribute typeDescription
request.headersmapString-to-string map of the request headers. If a header contains multiple values, then the value in this map is a comma-separated string of all the values of the header. All keys in this map are inlowercase.
request.methodstringRequest method, such as GET or POST.
request.hoststring

Convenience equivalent torequest.headers['host'].

We recommend that you usehost() in most cases.

request.pathstringRequested URL path.
request.querystring

URL query in the format ofname1=value&name2=value2, as it appears in the first line of the request.

No decoding is performed.

request.schemestringURL scheme, such as HTTP or HTTPS. All values of this attribute are in lowercase.
request.url()string

Convenience forhost() + request.path.

This doesn't include the port and uses a host value that might differ from the host header.

request.useragent()stringConvenience equivalent torequest.headers['user-agent'].

Operators

Secure Web Proxy supports several operators that can be used to build complexlogic expressions from simple expression statements. Secure Web Proxy supportslogical operators, such as&&,||, and!, and string manipulationoperators, such asx.contains('y').

The logical operators let you verify multiple variables in a conditionalexpression. For example,request.method == 'GET' && host().matches('.*\.example.com') joins twostatements and requires both statements to beTrue to produce anoverall result ofTrue.

The string manipulation operators match strings or substrings that you define,and let you develop rules to control access to resources without listing everypossible combination.

Logical operators

The following table describes the logical operators that Secure Web Proxysupports.

Example expressionDescription
x == "foo"ReturnsTrue ifx is equal to the constant string literal argument.
x == R"fo'o"ReturnsTrue ifx is equal to the given raw string literal that does not interpret escape sequences. Raw string literals are convenient for expressing strings that the code must use to escape sequence characters.
x == yReturnsTrue ifx is equal toy.
x != yReturnsTrue ifx is not equal toy.
x && yReturnsTrue if bothx andy areTrue.
x || yReturnsTrue ifx,y, or both areTrue.
!xReturnsTrue if the boolean valuex isFalse. Otherwise, it returnsFalse if the boolean valuex isTrue.
m['k']If keyk is present, returns the value at keyk in the string-to-string mapm. If keyk is not present, it returns an error that causes the rule under evaluation to not match.

String manipulation operators

The following table describes the string manipulation operators thatSecure Web Proxy supports.

ExpressionDescription
x.contains(y)ReturnsTrue if the stringx contains the substringy.
x.startsWith(y)ReturnsTrue if the stringx begins with the substringy.
x.endsWith(y)ReturnsTrue if the stringx ends with the substringy.
x.matches(y)

ReturnsTrue if the stringx matches the specified RE2 patterny.

The RE2 pattern is compiled by using the RE2::Latin1 option that disables Unicode features.

x.lower()Returns the lowercase value of the stringx.
x.upper()Returns the uppercase value of the stringx.
x + yReturns the concatenated stringxy.
int(x)Converts the string result ofx to anint type. You can use the converted string to compare integers with standard arithmetic operators such as> and<=. This works only for integer values.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-24 UTC.