Approving Access Approval requests

Learn how to use Access Approval to approve an access request. Be sure you understand the Access Approval concepts in the Overview before you begin.

Receiving notifications

There are two options for receiving Access Approval requests: receive via email or use Pub/Sub (or both at the same time).

To receive via email, follow the steps in the Setting up email notifications section of the Quickstart.

To use Pub/Sub, follow the steps below.

  1. Create a topic in Pub/Sub in the project that will be approving requests. You can have a single Pub/Sub topic that will receive requests for all projects, or separate Pub/Sub topics in each project.
  2. Using the Google Cloud Console, give the approval service account Pub/Sub Publisher role on the Pub/Sub topic. The service account you need to give permissions to is customer-approval-jobs@system.gserviceaccount.com.
  3. Contact Google Cloud Support, and provide them the name or names of the Pub/Sub topic/s you have created and the project/folder/organization ids for which the topic should receive notifications.

Once this is complete, you will begin receiving messages in your Pub/Sub topic that correspond to Access Approval requests.

The following is a sample Access Approval request:

{
  "name": "projects/123456/approvalRequests/xyzabc123",
  "requestedResourceName": "projects/123456",
  "requestedReason": {
    "detail":  "Case number: bar123"
    "type":  "CUSTOMER_INITIATED_SUPPORT"
  },
  "requestedLocations": {
    "principalOfficeCountry": "US",
    "principalPhysicalLocationCountry": "US"
  },
  "requestTime": "2018-08-28T19:07:12.286Z",
  "requestedExpiration": "2018-09-02T19:07:11.877Z"
}

Configuring Access Approvers in your Organization

  1. Go to the IAM settings page for your project.

  2. Grant the IAM role Access Approvals Approver on the project, folder, or organization to the principal (either a service account or a human) who will perform approvals.

Approving Access Approval requests

In order to approve an Access Approval request, follow these steps:

Before you begin, be sure that you have the IAM role Access Approvals Approver on the project, folder, or organization.

Console

  1. Go to Security section of the Google Cloud Console and select Access Approval to bring up the panel with all your current approval requests.
    • You can also click the link in the email sent to you with the approval request to be taken to this page.
  2. To approve a request, press the Approve button. You also have the option of dismissing the request, but this is optional as access continues to be denied even if you do not dismiss the request.
  3. Once the request is approved the request will become 'approved'. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame. If the request is not approved, the Google employee access will be denied. Dismissing the request only removes it from your list of pending requests, and if you fail to dismiss an approval request, access will continue to be denied.

cURL

  1. Take the approvalRequest name from the Pub/Sub message.
  2. Make an API call to approve or dismiss that approvalRequest.

     # HTTP POST request with empty body (an effect of using -d '')
     # service-account-credential.json is attained by going to the
     # IAM -> Service Accounts menu in the cloud console and creating
     # a service account.
     curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
       -d '' https://accessapproval.googleapis.com/v1beta1/projects/[PROJECT_ID]/approvalRequests/[APPROVAL_REQUEST_ID]:approve
    
  3. Once the request is approved the request will become 'approved'. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame.

  4. If the request is not approved or dismissed, the Google employee access will be denied.

The options you have for replying to a request include:

Action Effect Google access state
:approve Approves the request. Denied before approval, approved after approval.
:dismiss Dismisses the request for approval. This mechanism is preferred over no action as it alerts the Google employee that the request was dismissed to allow for follow-up. Denied before dismissal, denied after dismissal.
No action Google employee access is still denied. Google employee needs to open a new request to access the resource after the requestedExpiration time passes. Denied before no action, denied after expiration time.

Listing historical approval requests

Console

This capability is not yet available in the Google Cloud Console. You can see historical approvals in your Cloud Audit Logs by visiting Cloud Logging. You can filter by the Audited Resource accessapproval.googleapis.com if your project has audit logging enabled.

cURL

curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
    https://accessapproval.googleapis.com/v1beta1/projects/[PROJECT_ID]/approvalRequests?filter=ALL

By default, the API lists all unapproved plus approved, non-expired requests. There is a filter parameter to do things such as listing all dismissed requests. See the API documentation for details.

You will receive a list of historical access approvals together with status.

{
  "approvalRequests": [
    {
      "name": "projects/123456/approvalRequests/xyzabc123",
      "requestedResourceName": "projects/123456",
      "requestedReason": {
        "detail":  "Case number: bar123"
        "type":  "CUSTOMER_INITIATED_SUPPORT"
      },
      "requestedLocations": {
        "principalOfficeCountry": "US",
        "principalPhysicalLocationCountry": "US"
      },
      "requestTime": "2018-08-30T17:49:13.712Z",
      "requestedExpiration": "2018-09-04T17:49:13.540Z",
      "approve": {
        "approveTime": "2018-08-30T17:49:15.737Z",
        "expireTime": "2018-09-04T17:49:13.540Z"
      }
    }
  ]
}

What's next

  • Understand what Google actions are excluded from Access Approval notifications.