This page shows you how to set up Access Approval using the Google Cloud Platform Console to receive email notifications of access requests on a project.
Before you begin
In the GCP Console, on the project selector page, click Create to begin creating a new GCP project.
- Enable Access Transparency on the project you wish to apply it to.
- Contact Sales or Support, or request registration here. In order to be eligible to use Access Approval, you must have Platinum or Enterprise support in place.
- Ensure that you have been granted the Access Approval Config Admin IAM role.
- Enable the Access Approval API.
Setting up email notifications
Select Security and then Access Approval in the Google Cloud Platform Console. Go to the Access Approval page
On the top right hand corner of the panel is a button labelled Notifications. Use this panel to add users who you would like to receive notifications on your behalf.
Approving access approval requests
To approve an Access Approval request, follow these steps:
Go to the IAM section in the Google Cloud Platform Console for your project.
Grant whoever will be performing approvals for the project (either a service account or human user) the IAM role Access Approvals Approver on the project, folder, or organization that you would like the person to have the role for.
Under Security, go to Access Approval in the Google Cloud Platform Console to see all your current approval requests.
- You can also click the link in the email sent to you with the approval request to be taken to this page.
To approve a request, press the Approve button. You also have the option of dismissing the request, but this is optional; access continues to be denied even if you do not dismiss the request (subject to the bypass mechanisms detailed in the Overview. If you do not approve the access within 14 days, requests are automatically dismissed.
Once the request is approved the request will become 'approved'. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame.
If the request is not approved, the Google employee access will be denied. Dismissing the request only removes it from your list of pending requests, and if you fail to dismiss an approval request, access will continue to be denied.
To avoid incurring charges to your GCP account for the resources used in this quickstart:
Go Security and then Access Approval in the Google Cloud Platform Console.
Remove the users for whom you added notifications.
Remove the IAM role Access Approvals Approver for those users.
- Learn how to approve access requests.