This page explains how to enforce certificate-based access (CBA) using context-aware access policies that are based on a user group.
You can restrict access to all Google Cloud services by binding a CBA access level to a user group that you want to restrict access to. This restriction applies to all client applications that call the Google Cloud APIs.
Optionally, you can apply the restrictions to specific client applications or
exempt specific applications. The applications include both third-party
applications and first-party applications built by Google, such as
Cloud Console
for the Google Cloud console and Google Cloud SDK
for the
Google Cloud CLI
.
Before you begin
Ensure that you have created a CBA access level that requires certificates when determining access to resources.
Create a user group
Create a user group containing the members that should be granted access based on the CBA access level.
Assign the Cloud Access Binding Admin role
Assign the Cloud Access Binding Admin role to the user group.
Ensure that you are authorized with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin and the Cloud Access Binding Admin roles.
Console
In the console, go to the IAM page.
On the Permissions tab, click Grant access, and then configure the following:
- New principals: Specify the group to which you want to grant the role.
- In the Select a role option, select Access Context Manager > Cloud Access Binding Admin.
- Click Save.
gcloud
Sign in:
gcloud auth login
Assign the
GcpAccessAdmin
role by running the following command:gcloud organizations add-iam-policy-binding ORG_ID \ --member=user:EMAIL \ --role=roles/accesscontextmanager.gcpAccessAdmin
ORG_ID
is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:gcloud organizations list
EMAIL
is the email address of the person or group you want to grant the role to.
Bind a CBA access level to a user group
In this binding option, the CBA access level applies to all of the client applications for the user group that you specify.
In the console, go to the Chrome Enterprise Premium page.
Choose an organization, and then click Select.
Click Manage access to choose the user groups that should have access.
Click Add and then configure the following:
- Member groups: Specify the group to which you want to grant access. You can only select groups that are not already bound to an access level.
- Select access levels: Select the CBA access level to apply to the group.
- Click Save.
Bind a CBA access level to a user group and specific applications
In some use cases, such as applications that support client certificates, binding a CBA access level to a user group might be too broad. You can use this option to apply CBA access levels to applications that support client certificates.
The following example binds a CBA access level to the Google Cloud console, the gcloud CLI, and a user's OAuth application.
Log into the gcloud CLI.
gcloud auth application-default login
Create a
policy_file.json
file.You can specify applications using their OAuth client ID. To specify Google applications, use the application name, such as
Cloud Console
for the Google Cloud console. Only the Google Cloud console and Google Cloud SDK Google applications are supported.scopedAccessSettings: - scope: clientScope: restrictedClientApplication: name: Cloud Console activeSettings: accessLevels: - CBA_ACCESS_LEVEL - scope: clientScope: restrictedClientApplication: name: Google Cloud SDK activeSettings: accessLevels: - CBA_ACCESS_LEVEL - scope: clientScope: restrictedClientApplication: clientId: CLIENT_ID_1 activeSettings: accessLevels: - CBA_ACCESS_LEVEL
Replace the following:
- CLIENT_ID_1: The OAuth client ID.
- CBA_ACCESS_LEVEL: A CBA access level name in the format
accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME
.
Create the CBA access level binding.
gcloud access-context-manager cloud-bindings create \ --group-key='GROUP_KEY' \ --organization='ORG_ID' \ --binding-file=.../policy_file.json
Replace GROUP_KEY with the context-aware access group and ORG_ID with your organization ID.
If you don't have the GROUP_KEY available, you can retrieve it by calling the
get
method on the group resource.(Optional) Update an existing access level binding.
gcloud access-context-manager cloud-bindings update \ --binding='BINDING_NAME' \ --binding-file=.../policy_file.json
Replace BINDING_NAME with the binding name that was automatically generated when the binding was created.
Exempt an application from a binding
Another way to apply a CBA access level without blocking client applications that don't support client certificates is to exempt those applications from the policy.
The following steps assume that you have previously created a CBA access level that requires certificates when determining access to resources.
Create an exemption access level using one of the following methods.
- Custom access level:
Provide
true
as the value in the CEL expression condition. - Basic access level:
Create an
IP range-based access level
by providing IP subnetworks
0.0.0.0/0
and::/0
, which correspond to IPv4 and IPv6 respectively.
- Custom access level:
Provide
Create an
exemption_file.json
file.scopedAccessSettings: - scope: clientScope: restrictedClientApplication: clientId: CLIENT_ID_2 activeSettings: accessLevels: - EXEMPT_ACCESS_LEVEL - scope: clientScope: restrictedClientApplication: name: APPLICATION_NAME_2 activeSettings: accessLevels: - EXEMPT_ACCESS_LEVEL
Replace the following:
- CLIENT_ID_2: The OAuth client ID.
- APPLICATION_NAME_2: The application name.
- EXEMPT_ACCESS_LEVEL: An exemption access level name in the
format
accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME
.
Create the exemption binding policy.
gcloud access-context-manager cloud-bindings create \ --group-key='GROUP_KEY' \ --organization='ORG_ID' \ --binding-file=.../exemption_file.json
Replace GROUP_KEY with the context-aware access group and ORG_ID with your organization ID.
If you don't have the GROUP_KEY available, you can retrieve it by calling the
get
method on the group resource.