Justification reason codes

This page provides the list of justifications that can be used to request access to your encryption keys.

Reason	Description
`CUSTOMER_INITIATED_ACCESS`	Customer uses their account to perform any access to their own data which their IAM policy authorizes. These accesses include operations that are executed indirectly on behalf of or in response to customer resource activity, such as logging.
`MODIFIED_CUSTOMER_INITIATED_ACCESS`	Customer uses their account to perform any access to their own data which their IAM policy authorizes. These accesses include operations that are executed indirectly on behalf of or in response to customer resource activity, such as logging. At the same time, one of the following is true: A Google administrator has reset the root-access account associated with the user's organization within the past 7 days. A Google-initiated emergency access operation has interacted with a resource in the same project or folder as the currently accessed resource within the past 7 days.
`GOOGLE_INITIATED_SYSTEM_OPERATION`	Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer. These accesses can be for indexing, structuring, precomputation, hashing, sharding and caching customer data. This also includes backing up data for disaster recovery or data integrity reasons, and detecting errors that the backup data could remedy. Certain operations such as key health checks are initiated by Google systems in direct response to customer resource activity but can generate a `GOOGLE_INITIATED_SYSTEM_OPERATION` justification due to the architecture of the systems involved. Key accesses with this justification are always in service of a customer workload. Where the customer has delegated a managed control plane operation to Google, such as the creation of a managed instance group, all managed operations will show as system operations. Services such as the managed instance group manager that trigger downstream decryption operations do not have access to clear-text customer data.
`MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION`	Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer. These accesses can be for indexing, structuring, precomputation, hashing, sharding and caching customer data. This also includes backing up data for disaster recovery or data integrity reasons, and detecting errors that the backup data could remedy. Certain operations such as key health checks are initiated by Google systems in direct response to customer resource activity but can generate a `GOOGLE_INITIATED_SYSTEM_OPERATION` justification due to the architecture of the systems involved. Key accesses with this justification are always in service of a customer workload. At the same time, one of the following is true: A Google administrator has reset the root-access account associated with the user's organization within the past 7 days. A Google-initiated emergency access operation has interacted with a resource in the same project or folder as the currently accessed resource within the past 7 days. Where the customer has delegated a managed control plane operation to Google, such as the creation of a managed instance group, all managed operations show as system operations. Services such as the managed instance group manager that trigger downstream decryption operations do not have access to clear-text customer data.
`REASON_NOT_EXPECTED`	No reason is expected for this key request due to there being at least on service involved in servicing the request which has one of the following characteristics: The service has never integrated with Key Access Justifications. The service has partially integrated with Key Access Justifications but this integration is still in Preview. Portions of such services might not be completely integrated with Key Access Justifications, which can lead to justifications not being producible. While a `REASON_NOT_EXPECTED` justification carries the aforementioned meaning, services which have not yet reached the GA status for their Key Access Justifications integration might also generate other justifications including `REASON_UNSPECIFIED`. Google makes no guarantees regarding the justifications generated while using services which are not Key Access Justifications GA.
`CUSTOMER_INITIATED_SUPPORT`	Customer-initiated support, for example, "Case Number: ####".
`GOOGLE_INITIATED_SERVICE`	Refers to Google-initiated access for system management and troubleshooting. Google personnel can make this type of access for the following reasons: To perform technical debugging needed for a complex support request or investigation. To remediate technical issues, such as storage failure or data corruption.
`THIRD_PARTY_DATA_REQUEST`	Google-initiated access in response to a legal request or legal process, including when responding to legal process from the customer that requires Google to access the customer's own data.
`GOOGLE_INITIATED_REVIEW`	Google-initiated access for security, fraud, abuse, or compliance purposes, including: Ensuring the safety and security of customer accounts and data. Confirming whether data is affected by an event that might impact account security (for example, malware infections). Confirming whether customer is using Google services in compliance with Google Terms of Service. Investigating complaints by other users and customers, or other signals of abusive activity. Checking that Google services are being used consistently with relevant compliance regimes (for example, anti-money laundering regulations).
`GOOGLE_RESPONSE_TO_PRODUCTION_ALERT`	Refers to Google-initiated access to maintain system reliability. Google personnel can make this type of access for the following reasons: To investigate and confirm that a suspected service outage doesn't affect the customer. To ensure backup and recovery from outages and system failures.
`REASON_UNSPECIFIED`	You have Key Access Justifications enabled but no justification is available for this request. The reason could be a transient error, a bug, or some other circumstance. Due to the specific justification display implementations of various logging systems provided by Google Cloud and certain EKM providers, the `REASON_UNSPECIFIED` justification might be represented as an empty string. If a justification field is present in a request log but no justification is displayed, this should be interpreted as having received a `REASON_UNSPECIFIED` justification.
`CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING`	One of the following operations is being executed while simultaneously encountering an internal technical issue which prevented a more precise justification code from being generated: Your account has been used to perform any access to your own data which your IAM policy authorizes. An automated Google system operates on encrypted customer data which your IAM policy authorizes. Customer-initiated Google support access. Google-initiated support access to protect system reliability. When such an internal technical issue is encountered, Google will immediately work to remediate the situation and return the involved systems to a state where other more precise justification codes will be generated. To reduce operational risk of an outage resulting from the denial of a request with `CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING` justification, Google recommends that you allow `CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING` in your Key Access Justifications policies.
No justification field present	Key Access Justifications isn't enabled for you.

What's next

Learn how to view and act on justifications.