cel-spec | Common Expression Language -- specification and binary | Parser library

I would like to filter the resources available for a user based on their name. So I tried to use GCP IAM Role conditions.

But the only function which seems to be available on resource.name are startsWith(), endsWith() or extract(), saying the linter and the example I found. In the CEL language definition (https://github.com/google/cel-spec/blob/master/doc/langdef.md) contains() or matches() exists but I cannot use it in GCP console, the linter refuse it.

To be clear on the context the same project holds resources for production and non production environments and I would like to give rights to people without giving them access to production ones. The production resources are named with a pattern -prod-.

Is there another way to set an IAM Role condition based on part of resources name?

In our Firebase setup we store the user's role in custom claims. And so, in our Cloud Firestore security rules we need to evaluate whether the user has the appropriate role to perform an action. So I created the function getRole which conveniently gets the requested value from the user's auth token. However, there are certain edge cases when the user does not yet have a role, and in those cases I want their role to evaluate to the lowest possible security role, in our case this is just "user". I read the language spec for CEL (Common Expression Language) which is what this rule language is based on and it does in fact support a ternary operator. (Doc). So I went and plugged in this code into my Firestore security rules and the online editor validated the rules and accepted my new rules. However, I later found that locally, when running my security rules unit tests and also loading up the rules in the firebase emulators, I get this error:

ERROR Use of ternary operator not allowed

So either the production Firestore rules support the ternary operator and the local emulators do not, or the production one is validating against CEL and passing validation when they should not.

At any rate, I would like to safely be able to have a function which returns the actual value of the user's role, or a default safe value if it is not set.

Please note that we have tried to omit the 'role' in getCustomClaims() statement and it blows up if the key does not exist in the custom claims.