Access Context Manager allows Google Cloud organization administrators to define fine-grained, attribute based access control for projects and resources in Google Cloud.
Access levels describe the necessary requirements for requests to be honored. Examples include:
- Device type and operating system
- IP address
- User identity
Service perimeters define sandboxes of resources which can freely exchange data within the perimeter, but are not allowed to export data outside of it. Access Context Manager isn't responsible for policy enforcement. Its purpose is to describe the desired rules. Policy is configured and enforced across various points, such as VPC Service Controls. You can read more about these services in their respective user guides.
Why Access Context Manager
Many companies rely on a perimeter security model — e.g., Firewalls — to secure internal resources. This model is similar to a medieval castle: a fortress with thick walls, surrounded by a moat, with a heavily guarded single point of entry and exit. Anything located outside the wall is considered dangerous. Anything inside is trusted.
Firewalls and the perimeter security model work well if there is a precise boundary around specific users and services. However, if a workforce is mobile, the variety of devices increases as users bring their own devices (BYOD) and utilize cloud-based services. This results in additional attack vectors not considered by the perimeter model. The perimeter is no longer just the physical location of the enterprise, and what lies inside cannot be assumed as safe.
Access Context Manager allows you to reduce the size of the privileged network and move to a model where endpoints do not carry ambient authority based on the network. Instead, you can grant access based on device type and user identity, while still checking for corporate network access when necessary.
Access Context Manager is an integral part of the BeyondCorp effort at Google. To learn more, see BeyondCorp.
Access Context Manager is an organization-wide feature. You create an access policy in the context of a project for quota purposes, but you can use the policy anywhere in your organization, not only that project.
An access policy is versioned using an
allows you to target changes to your access policy, such as modifications to
access levels, to a specific version of the policy. If your access
policy is being changed by multiple sources, using the
etag field for your
Access Context Manager
gcloud commands and API calls can ensure that no changes
are unexpectedly overwritten and that no unintended conflicts are introduced.
See the Quickstart to learn how to create an access policy.
An access level is a set of attributes assigned to requests based on their origin. Using information such as device type, IP address, or user identity, you can designate what level of access to grant. For example, you might assign a "High_Trust" level to connections from within your corporate network and "Medium_Trust" trust to external devices running approved operating systems.
Once you have defined access levels, enforcement services can use them to determine whether to honor a request. For example, you might specify that while many resources are available to "Medium_Trust," certain more sensitive resources require the "High_Trust" level. These checks are applied in addition to standard Cloud IAM policy.
Access levels are customizable; "High_Trust" and "Medium_Trust" are examples. You can specify multiple access levels as part of an access policy.
You can grant an access level based on the IP address of the originating request. The range of IPs to allow is specified in the form of a Classless Inter-Domain Routing (CIDR) block, which allows for simple, yet fine-grained control over the IPs allowed.
A single access level can contain multiple IP ranges.
See Creating an Access Level for Corporate Network Access to learn how to create an access level that only allows access to a specified range of IP addresses (for example, those within a corporate network).
Access Context Manager uses Endpoint Verification to gather information regarding user devices, including operating system and version. You can grant an access level based on this data; for example, you might decide to grant a more permissive access level to devices running the latest version of the primary operating system deployed at your company.
Read Creating an Access Level for User Devices for more information on how to grant an access level to certain devices.
In some scenarios, you may wish to grant an access level to specific entities. In this case, the identity of the caller determines whether the condition is met.
This scenario is often used in conjunction with Service Accounts and VPC Service Controls; for example, to enable a Cloud Function to access data protected by VPC Service Controls.
Identity-only access levels can only be created and managed with the
command line tool, not via the Google Cloud Platform Console.
Learn how to work with identities and access levels in Including Identities in Access Levels with Networks.
A single access level can contain multiple conditions. The conditions can be
evaluated using either the
OR operator. You can specify the mode when
creating or updating an access level.
AND case is the stricter (and default) option. It only grants the Access
Level if all conditions pass. For example, you might require a request come from
within the corporate network and from a device running a the latest
OR is a less restrictive option. It only requires one of many conditions to be
true. This is sometimes valuable when dealing with user identities; for example,
to exclude specific entities (such as Service Accounts) from the normal
Conditions can be nested such that one condition depends on another condition. For example, if you have two access levels, "Medium" and "High" trust, you can set the requirements for "High" to require "Medium," plus some other conditions.
Nesting conditions can make managing access levels more convenient. For example, imagine your most permissive access level contains a minimum operating system version, and you set your more restrictive levels to depend on it. Now if you update the minimum version in the future, you only have to update a single condition, rather than every access level in the policy.