CEL matcher language reference
Common Expression Language (CEL) is anopen source non-Turing complete language that implements common semantics forexpression evaluation. Secure Web Proxy uses a subset of CEL conditions to makeboolean authorization decisions based on attribute data. In general, a conditionexpression consists of one or more statements that are joined by logicaloperators (&&,||, or!). Each statement expresses an attribute-basedcontrol rule that applies to the role binding and ultimately determines whetheraccess is allowed.
Attributes
Use session attributes and application attributes while definingSecure Web Proxy policies to describe either the session attributes orthe application attributes that a policy applies to.
Session attributes, described bySessionMatcher, apply to session-specificattributes such as the source IP address, hosts, and IP range. Applicationattributes, described byApplicationMatcher, apply to application attributessuch as request headers, request method, and request path.
Attributes available toSessionMatcher andApplicationMatcher
The following table describes attributes that apply to bothSessionMatcher andApplicationMatcher.
| Attribute | Attribute type | Description |
|---|---|---|
source.ip | string | IP address of the client that sent the request. |
source.port | integer | Client port that sent the request. |
destination.port | integer | Upstream port to which your Secure Web Proxy instance sends the traffic. |
host() | string | Host value used for DNS resolution and upstream connections.This doesn't include the port. The value of **host()** is determined by the following:
|
source.matchTag(SECURE_TAG) | boolean |
The argument is the permanent ID of the secure tag, such as |
source.matchServiceAccount(SERVICE_ACCOUNT) | boolean | True, if the source is associated withSERVICE_ACCOUNT, such assource.matchServiceAccount('x@my-project.iam.gserviceaccount.com'). |
inUrlList(HOST_OR_URL,NAMED_LIST) | boolean |
When a |
inIpRange(IP_ADDRESS, | boolean | True, ifIP_ADDRESS is contained within theIP_RANGE, such asinIpRange(source.ip, '1.2.3.0/24'). Subnet masks for IPv6 addresses can't be larger than /64. |
Attributes available only toApplicationMatcher
The following table describes attributes that apply only toApplicationMatcher.
| Attribute | Attribute type | Description |
|---|---|---|
request.headers | map | String-to-string map of the request headers. If a header contains multiple values, then the value in this map is a comma-separated string of all the values of the header. All keys in this map are inlowercase. |
request.method | string | Request method, such as GET or POST. |
request.host | string | Convenience equivalent to We recommend that you use |
request.path | string | Requested URL path. |
request.query | string | URL query in the format of No decoding is performed. |
request.scheme | string | URL scheme, such as HTTP or HTTPS. All values of this attribute are in lowercase. |
request.url() | string | Convenience for This doesn't include the port and uses a host value that might differ from the host header. |
request.useragent() | string | Convenience equivalent torequest.headers['user-agent']. |
Operators
Secure Web Proxy supports several operators that can be used to build complexlogic expressions from simple expression statements. Secure Web Proxy supportslogical operators, such as&&,||, and!, and string manipulationoperators, such asx.contains('y').
The logical operators let you verify multiple variables in a conditionalexpression. For example,request.method == 'GET' && host().matches('.*\.example.com') joins twostatements and requires both statements to beTrue to produce anoverall result ofTrue.
The string manipulation operators match strings or substrings that you define,and let you develop rules to control access to resources without listing everypossible combination.
Logical operators
The following table describes the logical operators that Secure Web Proxysupports.
| Example expression | Description |
|---|---|
x == "foo" | ReturnsTrue ifx is equal to the constant string literal argument. |
x == R"fo'o" | ReturnsTrue ifx is equal to the given raw string literal that does not interpret escape sequences. Raw string literals are convenient for expressing strings that the code must use to escape sequence characters. |
x == y | ReturnsTrue ifx is equal toy. |
x != y | ReturnsTrue ifx is not equal toy. |
x && y | ReturnsTrue if bothx andy areTrue. |
x || y | ReturnsTrue ifx,y, or both areTrue. |
!x | ReturnsTrue if the boolean valuex isFalse. Otherwise, it returnsFalse if the boolean valuex isTrue. |
m['k'] | If keyk is present, returns the value at keyk in the string-to-string mapm. If keyk is not present, it returns an error that causes the rule under evaluation to not match. |
String manipulation operators
The following table describes the string manipulation operators thatSecure Web Proxy supports.
| Expression | Description |
|---|---|
x.contains(y) | ReturnsTrue if the stringx contains the substringy. |
x.startsWith(y) | ReturnsTrue if the stringx begins with the substringy. |
x.endsWith(y) | ReturnsTrue if the stringx ends with the substringy. |
x.matches(y) | Returns The RE2 pattern is compiled by using the RE2::Latin1 option that disables Unicode features. |
x.lower() | Returns the lowercase value of the stringx. |
x.upper() | Returns the uppercase value of the stringx. |
x + y | Returns the concatenated stringxy. |
int(x) | Converts the string result ofx to anint type. You can use the converted string to compare integers with standard arithmetic operators such as> and<=. This works only for integer values. |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-11-24 UTC.