Enforce certificate-based access for a user group

This page explains how to enforce certificate-based access (CBA) using context-aware access policies that are based on a user group.

You can restrict access to all Google Cloud services by binding a CBA access level to a user group that you want to restrict access to. This restriction applies to all client applications that call the Google Cloud APIs.

Optionally, you can apply the restrictions to specific client applications or exempt specific applications. The applications include both third-party applications and first-party applications built by Google, such as Cloud Console for the Google Cloud console and Google Cloud SDK for the Google Cloud CLI.

Before you begin

Ensure that you have created a CBA access level that requires certificates when determining access to resources.

Create a user group

Create a user group containing the members that should be granted access based on the CBA access level.

Assign the Cloud Access Binding Admin role

Assign the Cloud Access Binding Admin role to the user group.

Ensure that you are authorized with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin and the Cloud Access Binding Admin roles.

Console

  1. In the console, go to the IAM page.

    Go to IAM

  2. On the Permissions tab, click Grant access, and then configure the following:

    1. New principals: Specify the group to which you want to grant the role.
    2. In the Select a role option, select Access Context Manager > Cloud Access Binding Admin.
    3. Click Save.

gcloud

  1. Sign in:

    gcloud auth login
    
  2. Assign the GcpAccessAdmin role by running the following command:

    gcloud organizations add-iam-policy-binding ORG_ID \
      --member=user:EMAIL \
      --role=roles/accesscontextmanager.gcpAccessAdmin
    
    • ORG_ID is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:

       gcloud organizations list
      
    • EMAIL is the email address of the person or group you want to grant the role to.

Bind a CBA access level to a user group

In this binding option, the CBA access level applies to all of the client applications for the user group that you specify.

  1. In the console, go to the Chrome Enterprise Premium page.

    Go to Chrome Enterprise Premium

  2. Choose an organization, and then click Select.

  3. Click Manage access to choose the user groups that should have access.

  4. Click Add and then configure the following:

    1. Member groups: Specify the group to which you want to grant access. You can only select groups that are not already bound to an access level.
    2. Select access levels: Select the CBA access level to apply to the group.
    3. Click Save.

Bind a CBA access level to a user group and specific applications

In some use cases, such as applications that support client certificates, binding a CBA access level to a user group might be too broad. You can use this option to apply CBA access levels to applications that support client certificates.

The following example binds a CBA access level to the Google Cloud console, the gcloud CLI, and a user's OAuth application.

  1. Log into the gcloud CLI.

    gcloud auth application-default login
    
  2. Create a policy_file.json file.

    You can specify applications using their OAuth client ID. To specify Google applications, use the application name, such as Cloud Console for the Google Cloud console. Only the Google Cloud console and Google Cloud SDK Google applications are supported.

    scopedAccessSettings:
    - scope:
        clientScope:
          restrictedClientApplication:
            name: Cloud Console
      activeSettings:
        accessLevels:
        - CBA_ACCESS_LEVEL
    - scope:
        clientScope:
          restrictedClientApplication:
            name: Google Cloud SDK
      activeSettings:
        accessLevels:
        - CBA_ACCESS_LEVEL
    - scope:
        clientScope:
          restrictedClientApplication:
            clientId: CLIENT_ID_1
      activeSettings:
        accessLevels:
        - CBA_ACCESS_LEVEL
    

    Replace the following:

    • CLIENT_ID_1: The OAuth client ID.
    • CBA_ACCESS_LEVEL: A CBA access level name in the format accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME.
  3. Create the CBA access level binding.

    gcloud access-context-manager cloud-bindings create \
      --group-key='GROUP_KEY' \
      --organization='ORG_ID' \
      --binding-file=.../policy_file.json

    Replace GROUP_KEY with the context-aware access group and ORG_ID with your organization ID.

    If you don't have the GROUP_KEY available, you can retrieve it by calling the get method on the group resource.

  4. (Optional) Update an existing access level binding.

    gcloud access-context-manager cloud-bindings update \
      --binding='BINDING_NAME' \
      --binding-file=.../policy_file.json

    Replace BINDING_NAME with the binding name that was automatically generated when the binding was created.

Exempt an application from a binding

Another way to apply a CBA access level without blocking client applications that don't support client certificates is to exempt those applications from the policy.

The following steps assume that you have previously created a CBA access level that requires certificates when determining access to resources.

  1. Create an exemption access level using one of the following methods.

  2. Create an exemption_file.json file.

    scopedAccessSettings:
    - scope:
        clientScope:
          restrictedClientApplication:
            clientId: CLIENT_ID_2
      activeSettings:
        accessLevels:
        - EXEMPT_ACCESS_LEVEL
    - scope:
        clientScope:
          restrictedClientApplication:
            name: APPLICATION_NAME_2
      activeSettings:
        accessLevels:
        - EXEMPT_ACCESS_LEVEL
    

    Replace the following:

    • CLIENT_ID_2: The OAuth client ID.
    • APPLICATION_NAME_2: The application name.
    • EXEMPT_ACCESS_LEVEL: An exemption access level name in the format accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME.
  3. Create the exemption binding policy.

    gcloud access-context-manager cloud-bindings create \
      --group-key='GROUP_KEY' \
      --organization='ORG_ID' \
      --binding-file=.../exemption_file.json

    Replace GROUP_KEY with the context-aware access group and ORG_ID with your organization ID.

    If you don't have the GROUP_KEY available, you can retrieve it by calling the get method on the group resource.