Approving Access Approval requests

Learn how to use Access Approval to approve access requests. Be sure you understand the Access Approval concepts in the Overview before you begin.

Before you begin

If you have not already, perform the following steps.

  1. In the GCP Console, go to the Manage resources page and create a project.

    Go to the Manage resources page

  2. Enable Access Transparency on the project you wish to apply it to.
  3. Contact Sales or Support, or request registration here. In order to be eligible to use Access Approval, you must have Platinum or Enterprise support in place.
  4. Ensure that you have been granted the Access Approval Config Admin IAM role.
  5. Enable the Access Approval API.

    Enable the API

    1. If using a service account to enable the API, follow the directions for using the service account to authenticate with the gcloud command line tool. The service name is accessapproval.googleapis.com.

Receiving notifications in Cloud Pub/Sub

There are two options for receiving Access Approval requests: receiving email or using Cloud Pub/Sub (or both at the same time). In order to begin receiving messages for access approvals via email, follow the steps in the quickstart.

To use Cloud Pub/Sub, follow the steps below.

  1. Create a topic in Cloud Pub/Sub in the project that will be approving requests. You can have a single Cloud Pub/Sub topic that will receive requests for all projects, or separate Cloud Pub/Sub topics in each project.
  2. Using the Google Cloud Platform Console, give the approval service account Pub/Sub Publisher role on the Cloud Pub/Sub topic. The service account you need to give permissions to is customer-approval-jobs@system.gserviceaccount.com.
  3. Contact Google Cloud Support, and provide them the name or names of the Cloud Pub/Sub topic/s you have created and the project/folder/organization ids for which the topic should receive notifications.

Once this is complete, you will begin receiving messages in your Cloud Pub/Sub topic that correspond to access approval requests.

Sample access approval requests:

{
  "name": "projects/123456/approvalRequests/xyzabc123",
  "requestedResourceName": "projects/123456",
  "requestedReason": {
    "detail":  "Case number: bar123"
    "type":  "CUSTOMER_INITIATED_SUPPORT"
  },
  "requestedLocations": {
    "principalOfficeCountry": "US",
    "principalPhysicalLocationCountry": "US"
  },
  "requestTime": "2018-08-28T19:07:12.286Z",
  "requestedExpiration": "2018-09-02T19:07:11.877Z"
}

Approving access approval requests

In order to approve an access approval request, follow these steps:

Granting appropriate IAM roles

  1. Go to the IAM settings page for your project.
  2. Grant whoever will be performing approvals for the project (either a service account or human user) the IAM role Access Approvals Approver on the project, folder, or organization that you would like the person to have the role for.

Console

  1. Go to Security section of the Google Cloud Platform Console and select Access Approval to bring up the panel with all your current approval requests.
    • You can also click the link in the email sent to you with the approval request to be taken to this page.
  2. To approve a request, press the Approve button. You also have the option of dismissing the request, but this is optional as access continues to be denied even if you do not dismiss the request.
  3. Once the request is approved the request will become 'approved'. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame. If the request is not approved, the Google employee access will be denied. Dismissing the request only removes it from your list of pending requests, and if you fail to dismiss an approval request, access will continue to be denied.

cURL

  1. Take the approvalRequest name from the Cloud Pub/Sub message.
  2. Make an API call to approve or dismiss that approvalRequest.

     # HTTP POST request with empty body (an effect of using -d '')
     # service-account-credential.json is attained by going to the
     # IAM -> Service Accounts menu in the cloud console and creating
     # a service account.
     curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
       -d '' https://accessapproval.googleapis.com/v1beta1/projects/[PROJECT_ID]/approvalRequests/[APPROVAL_REQUEST_ID]:approve
    
  3. Once the request is approved the request will become 'approved'. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame.

  4. If the request is not approved or dismissed, the Google employee access will be denied.

The options you have for replying to a request include:

Action Effect Google access state
:approve Approves the request. Denied before approval, approved after approval.
:dismiss Dismisses the request for approval. This mechanism is preferred over no action as it alerts the Google employee that the request was dismissed to allow for follow-up. Denied before dismissal, denied after dismissal.
No action Google employee access is still denied. Google employee needs to open a new request to access the resource after the requestedExpiration time passes. Denied before no action, denied after expiration time.

Listing historical approval requests

Console

This capability is not yet available in the Google Cloud Platform Console. You can see historical approvals in your Cloud Audit Logging by visiting Stackdriver Logging. You can filter by the Audited Resource accessapproval.googleapis.com if your project has audit logging enabled.

cURL

curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
    https://accessapproval.googleapis.com/v1beta1/projects/[PROJECT_ID]/approvalRequests?filter=ALL

By default, the API lists all unapproved plus approved, non-expired requests. There is a filter parameter to do things such as listing all dismissed requests. See the API documentation for details.

You will receive a list of historical access approvals together with status.

{
  "approvalRequests": [
    {
      "name": "projects/123456/approvalRequests/xyzabc123",
      "requestedResourceName": "projects/123456",
      "requestedReason": {
        "detail":  "Case number: bar123"
        "type":  "CUSTOMER_INITIATED_SUPPORT"
      },
      "requestedLocations": {
        "principalOfficeCountry": "US",
        "principalPhysicalLocationCountry": "US"
      },
      "requestTime": "2018-08-30T17:49:13.712Z",
      "requestedExpiration": "2018-09-04T17:49:13.540Z",
      "approve": {
        "approveTime": "2018-08-30T17:49:15.737Z",
        "expireTime": "2018-09-04T17:49:13.540Z"
      }
    }
  ]
}

What's next

  • Understand what Google actions are excluded from Access Approval notifications.
Hai trovato utile questa pagina? Facci sapere cosa ne pensi:

Invia feedback per...

Access Approval