Review and approve access requests using the Google-managed signing key
This document shows you how to set up Access Approval using the Google Cloud console to receive email notifications of access requests for a project.
Access Approval ensures that a cryptographically-signed approval is present for Google personnel to access your content stored on Google Cloud.
Before you begin
- Enable Access Transparency for your organization. For more information, see Enabling Access Transparency.
- Ensure that you have the
Access Approval Config Editor
(
roles/accessapproval.configEditor
) IAM role.
Enroll in Access Approval
To enroll in Access Approval, do the following:
In the Google Cloud console, select the project for which you want to enable Access Approval.
Go to the Access Approval page.
To enroll in Access Approval, click Enroll.
In the dialog box that opens, click Enroll.
Configure settings
On the Access Approval page in the Google Cloud console, click
Manage settings.
Select the services
By default, the services that require Access Approval are inherited from the project's parent resource. You can expand the scope of enrolment by selecting the option to automatically enable Access Approval for all the supported services.
Set up email and Pub/Sub notifications
This section explains how you can receive access request notifications for this project.
Grant yourself the required IAM role
To view and approve access requests, you must have the Access Approval Approver
(roles/accessapproval.approver
) IAM role.
To grant this IAM role to yourself, do the following:
- Go to the IAM page in the Google Cloud console.
- In the View by principals tab, click Grant access.
- In the New principals field in the right pane, enter your email address.
- Click the Select a role field, and select the Access Approval Approver role from the menu.
- Click Save.
Add yourself as an approver for Access Approval requests and configure notifications
To add yourself as an approver so you can review and approve access requests, do the following:
Go to the Access Approval page in the Google Cloud console.
Click
Manage settings.To enable email notifications, add your email address in the User or group email field under Set up approval notifications.
To enable Pub/Sub notifications, add your Pub/Sub topic in the Pub/Sub topic field under Set up approval notifications.
Select a Google-managed signing key
Access Approval uses a signing key to verify the integrity of the access approval.
Google-managed signing key is the default option. Using a Google-owned and managed key doesn't require any additional configuration.
Review Access Approval requests
Now that you have enrolled in Access Approval and added yourself as an approver for access requests, you can expect to receive email notifications for access requests.
The following image shows a sample email notification that Access Approval sends when Google personnel request access to customer content.
To review and approve an incoming access request, do the following:
Go to the Access Approval page in the Google Cloud console.
To be taken to this page, you can also click the link in the email sent to you with the approval request.
Click Approve.
After you approve the request, Google personnel with characteristics matching the approval, such as, same justification, location, or desk location can access the specified resource and its child resources within the approved time frame.
Clean up
-
To unenroll from Access Approval, do the following:
- On the Access Approval page in the Google Cloud console, click Manage settings.
- Click Unenroll.
- In the dialog that opens, click Unenroll.
- To disable Access Transparency for your organization, contact Cloud Customer Care.
No additional steps are required to avoid incurring charges to your account.
What's next
- Learn about the anatomy of an access request.
- Learn how to approve Access Approval requests.
- Learn how to view historical Access Approval requests.