AI-generated Key Takeaways
- 
          Server-side custom templates have permissions that are checked by APIs and automatically detected in sandboxed JavaScript. 
- 
          These permissions can be edited for specificity and queried using the queryPermissionAPI.
- 
          Permissions cover actions such as accessing databases (BigQuery, Firestore), reading/modifying HTTP requests/responses, logging, and utilizing Google Cloud resources. 
- 
          Each permission has a detailed description, configuration options, code examples, and related API references in this document. 
- 
          This system ensures secure and controlled execution of custom templates within the server-side environment. 
This document outlines the permissions for server-side custom templates.
Each permission is:
- Checked by APIs that require them.
- Automatically detected in sandboxed JavaScript, based on what APIs are used. This happens as edits are made in the custom template editor (for a fast feedback loop), and when code is compiled (to validate that the correct permissions are enforced).
- Editable in the custom template editor, to make the permission more specific.
- Queryable in sandboxed JavaScript via the queryPermissionAPI.
access_bigquery
Display name: Accesses BigQuery
Description: Allows access to BigQuery on Google Cloud Platform.
Configuration: Option to allow specified project, dataset, and table
combinations to be used with BigQuery. Setting a project ID configuration of
GOOGLE_CLOUD_PROJECT will allow using the GOOGLE_CLOUD_PROJECT environment
variable as the project ID when projectId is excluded from the BigQuery API
parameter.
Required by: BigQuery
Query signature:
queryPermission('access_bigquery', <operation>, <options>)
Notes: <operation> is a string and can have the following values:
- write
<options> is an object containing the following items:
{
  'projectId': <project_id>,
  'datasetId': <dataset_id>,
  'tableId': <table_id>
}
Example code
const BigQuery = require('BigQuery');
const queryPermission = require('queryPermission');
const connectionInfo = {
  'projectId': 'gcp-cloud-project-id',
  'datasetId': 'destination-dataset',
  'tableId': 'destination-table',
};
if (queryPermission('access_bigquery', 'write', connectionInfo)) {
  const rows = [{
    'column1': 'String1',
    'column2': 1234,
  }];
  const options = {
    'ignoreUnknownValues': true,
    'skipInvalidRows': false,
  };
  BigQuery.insert(connectionInfo, rows, options)
      .then(data.gtmOnSuccess, data.gtmOnFailure);
}
access_firestore
Display name: Accesses Google Firestore
Description: Allows access to Google Firestore.
Configuration: Option to allow specified project and path (wildcard syntax
supported) combinations to be used with Firestore. Setting a project ID
configuration of GOOGLE_CLOUD_PROJECT will allow using the
GOOGLE_CLOUD_PROJECT environment variable as the project ID when projectId
is excluded from the Firestore API parameter.
Required by: Firestore
Query signature:
queryPermission('access_firestore', <operation>, <options>)
Notes: <operation> is a string and can have the following values:
- read - Grants access to read and query APIs
- write - Grants access to write API
- read_write - Grants access to read, write, and query APIs
<options> is an object containing the following items:
{
  'projectId': <project_id>,
  'path': <path>
}
Example code
const Firestore = require('Firestore');
const queryPermission = require('queryPermission');
const options = {
  'projectId': 'gcp-cloud-project-id',
  'path': 'collection/document',
};
if (queryPermission('access_firestore', 'read', options)) {
  Firestore.read('collection/document', {
    projectId: 'gcp-cloud-project-id',
  }).then(data.gtmOnSuccess, data.gtmOnFailure);
}
access_response
Display name: Accesses response
Description: Accesses the response body, headers, or status.
Configuration: Option to allow any or specific access, with sub-options for controlling access to various subcomponents.
Required by: setPixelResponse, setResponseBody,
setResponseHeader, setResponseStatus
Query signature:
queryPermission('access_response', 'write', <component>[, <optional component name>])
Notes: Governs whether the outgoing HTTP response component can be accessed.
Example code
const queryPermission = require('queryPermission');
const setResponseBody = require('setResponseBody');
const setResponseHeader = require('setResponseHeader');
const setResponseStatus = require('setResponseStatus');
if (queryPermission('access_response', 'write', 'header', 'Content-Type')) {
  setResponseHeader('Content-Type', 'text/plain');
}
if (queryPermission('access_response', 'write', 'body')) {
  setResponseBody('Not Found');
}
if (queryPermission('access_response', 'write', 'status')) {
  setResponseStatus(404);
}
access_template_storage
Display name: Accesses Template Storage
Description: Allows access to temporary storage for templates that can persist for the lifetime of the server-side process.
Configuration: None
Required by: templateDataStorage
Query signature: queryPermission('access_template_storage')
Example code
const queryPermission = require('queryPermission');
const templateDataStorage = require('templateDataStorage');
const key = 'my_key';
if (queryPermission('access_template_storage')) {
  const value = templateDataStorage.getItemCopy(key);
}
get_cookies
Display name: Reads cookie value(s)
Description: Reads the values of the cookies with the specified name.
Configuration: List of names of cookies permitted for reading.
Required by: getCookieValues
Query signature: queryPermission('get_cookies', <name>)
Notes: Governs whether a cookie can be read, depending on its name.
Example code
const queryPermission = require('queryPermission');
const getCookieValues = require('getCookieValues');
const cookieName = 'info';
let cookieValues;
if (queryPermission('get_cookies', cookieName)) {
  cookieValues = getCookieValues(cookieName);
}
logging
Display name: Logs to console
Description: Logs to the developer console and Tag Manager's preview mode.
Configuration: Option to enable logging in production. Defaults to only
enable logging in debug/preview. If permission is denied, logToConsole will
not throw an error, but will suppress the log message.
Required by: logToConsole
Query signature: queryPermission('logging')
Notes: Controls whether a custom template can log to the developer console.
Example code
const queryPermission = require('queryPermission');
const logToConsole = require('logToConsole');
// Note that it's fine to call log, since the log call will be ignored if
// logging isn't permitted in the current environment.
logToConsole('diagnostic info');
use_message
Display name: Uses messages
Description: Sends or receives messages using the addMessageListener or
sendMessage APIs.
Configuration: Option to specify the message type and whether the template can listen, send, or both.
Required by: addMessageListener, sendMessage
Query signature: queryPermission('use_message', <usage>, <message type>)
Notes: Usage can be one of listen, send, or listen_and_send.
Example code
const queryPermission = require('queryPermission');
const sendMessage = require('sendMessage');
if (queryPermission('use_message', 'send', 'set_cookie')) {
  sendMessage('set_cookie', {name: 'foo', value: 'bar'});
}
read_container_data
Display name: Reads container data
Description: Reads data about the container.
Configuration: None.
Required by: getClientName, getContainerVersion
Query signature: queryPermission('read_container_data')
Notes: Controls whether a custom template can read container data.
Example code
const getContainerVersion = require('getContainerVersion');
const queryPermission = require('queryPermission');
if (queryPermission('read_container_data')) {
  return getContainerVersion();
}
read_event_data
Display name: Reads event data
Description: Reads data from the event.
Configuration: Option to allow any access, or specific access controlled by a list of allowed key paths (wildcard syntax supported).
Required by: getAllEventData, getEventData
Query signature: queryPermission('read_event_data'[, <optional key>])
Notes: Controls whether a custom template can read event data at a given key path (or all the event data, if no key path is given).
Example code
const getAllEventData = require('getAllEventData');
const queryPermission = require('queryPermission');
if (queryPermission('read_event_data')) {
  return getAllEventData();
}
const getEventData = require('getEventData');
const queryPermission = require('queryPermission');
const keyPath = 'parentField.childField';
if (queryPermission('read_event_data', keyPath)) {
  return getEventData(keyPath);
}
read_event_metadata
Display name: Reads event metadata
Description: Reads event metadata in Event Callbacks
Configuration: None
Required by: addEventCallback
Query signature: queryPermission('read_event_metadata')
Notes: Controls whether a custom template can read event metadata in callbacks.
Example code
const queryPermission = require('queryPermission');
const addEventCallback = require('addEventCallback');
if (queryPermission('read_event_metadata')) {
  addEventCallback((containerId, eventMetadata) => {
    // Read event metadata.
  });
}
read_request
Display name: Reads HTTP request
Description: Reads the request headers, query parameters, body, path, or remote IP address.
Configuration: Option to allow any or specific access, with sub-options for controlling access to various subcomponents.
Required by: extractEventsFromMpv1, extractEventsFromMpv2,
getRemoteAddress, getRequestBody, getRequestHeader,
getRequestPath, getRequestQueryParameter, getRequestQueryParameters,
getRequestQueryString
Query signature:
queryPermission('read_request', <component>[, <optional component name>])
Notes: Governs whether the incoming HTTP response component can be accessed.
Example code
const queryPermission = require('queryPermission');
const getRequestBody = require('getRequestBody');
const getRequestHeader = require('getRequestHeader');
let body, contentType;
if (queryPermission('read_request', 'body')) {
  body = getRequestBody();
}
if (queryPermission('read_request', 'header', 'content-type')) {
  contentType = getRequestHeader('content-type');
}
if (body && contentType == 'application/json') { ... }
return_response
Display name: Returns response
Description: Returns response to the caller.
Configuration: None
Required by: returnResponse
Query signature: queryPermission('return_response')
Notes: This permission has no fields to narrow, and is typically not queried for.
run_container
Display name: Runs the container
Description: Runs the container with an event
Configuration: None
Required by: runContainer
Query signature: queryPermission('run_container')
Notes: This permission has no fields to narrow, and is typically not queried for.
send_http
Display name: Sends HTTP requests
Description: Sends an HTTP request to a specified URL.
Required by: getGoogleScript, sendEventToGoogleAnalytics,
sendHttpGet, sendHttpRequest
Query signature: queryPermission('send_http', <url>)
Notes: Governs whether an HTTP request can be made, depending on the URL. To ensure a secure connection, only secure (HTTPS) URLs are permitted.
Example code
const queryPermission = require('queryPermission');
const sendHttpGet = require('sendHttpGet');
const url = 'https://example.com/search?query=foo&results=10';
if (queryPermission('send_http', url)) {
  sendHttpGet(url);
}
send_pixel_from_browser
Display name: Sends pixels from browsers
Description: Sends a GET request to a specified URL from the browser.
Required by: sendPixelFromBrowser
Query signature: queryPermission('send_pixel_from_browser', <url>)
Notes: Governs whether a request can be sent from the browser, depending on the URL.
Example code
const queryPermission = require('queryPermission');
const sendPixelFromBrowser = require('sendPixelFromBrowser');
const url = 'https://example.com/search?query=foo&results=10';
if (queryPermission('send_pixel_from_browser', url)) {
  sendPixelFromBrowser(url);
}
set_cookies
Display name: Sets a cookie
Description: Sets a cookie with the specified name and parameters.
Configuration: A table of allowed cookie names, each with optional
restrictions on name, domain, path, secure attribute, and expiration.
Required by: setCookie
Query signature: queryPermission('set_cookies', <name>, <options>)
Notes: Governs whether a given 'Set-Cookie' header can be added to the
response, depending on the cookie name, domain, path, secure attribute, and
expiration.
Example code
const queryPermission = require('queryPermission');
const setCookie = require('setCookie');
const options = {
  'domain': 'www.example.com',
  'path': '/',
  'max-age': 60*60*24*365,
  'secure': true
};
if (queryPermission('set_cookies', 'info', options)) {
  setCookie('info', 'xyz', options);
}
use_custom_private_keys
Display name: Uses custom private keys
Description: Uses private keys from a JSON key file for cryptographic operations.
Configuration: A list of allowed key IDs. The IDs must match the keys in
the JSON key file referenced by the SGTM_CREDENTIALS environment variable
on the server.
Required by: hmacSha256
Query signature: queryPermission('use_custom_private_keys', <key id>)
Notes: Governs the list of allowed private keys.
Example code
const hmacSha256= require('hmacSha256');
const queryPermission = require('queryPermission');
const keyId = 'key1';
let result;
if (queryPermission('use_custom_private_keys', keyId)) {
  result = hmacSha256('my_data', keyId);
}
use_google_credentials
Display name: Uses Google Application Default Credentials
Description: Uses the Google default credentials to make calls to Google APIs.
Configuration: A list of allowed Google OAuth 2.0 scopes.
Required by: getGoogleAuth
Query signature: queryPermission('use_google_credentials', <scopes>)
Notes: Restricts the allowed Google OAuth 2.0 scopes for use with Google APIs.
Example code
const getGoogleAuth = require('getGoogleAuth');
const queryPermission = require('queryPermission');
const scopes = [
  'https://www.googleapis.com/auth/datastore'
];
let auth;
if (queryPermission('use_google_credentials', scopes)) {
  auth = getGoogleAuth(scopes);
}