Securing the Google Cloud Console and the Google Cloud APIs

Context-aware access for the Cloud Console and the Google Cloud APIs restricts access to the Cloud Console and the Google Cloud APIs with context-based rules. It builds on top of the existing BeyondCorp Enterprise suite (Endpoint Verification and Access Context Manager) and helps to ensure that individuals and groups within your organization satisfying the defined access requirements are able to access the Cloud Console and the Google Cloud APIs (including via the gcloud command-line tool).

This feature can be set up with the following steps:

  1. [Optional] Deploy Endpoint Verification to devices in your organization.
  2. Create an access level in Access Context Manager.
  3. Create a group of users to be bound by BeyondCorp Enterprise restrictions.
  4. Obtain the required Identity and Access Management permissions.
  5. Create an access binding that enforces context-aware rules for the Cloud Console and the Google Cloud APIs.

[Optional] Deploying Endpoint Verification

Endpoint Verification allows you to build an inventory of devices that are accessing your organization's data. As part of a BeyondCorp Enterprise solution, it also provides critical device trust and security-based access control, and can help enforce fine-grained access control on your Google Cloud resources.

Endpoint Verification runs as a Chrome extension on desktops and laptops for users of Mac, Windows, and Linux. An admin can deploy it to the organization's company-owned devices from the Google Workspace Admin Console or members of the organization can install it themselves.

Creating an access level

You'll need to define an access level that will be used when determining access to the Cloud Console and the Google Cloud APIs by creating a basic access level in Access Context Manager.

Creating a group of users

Create a group of users that should be bound by context-aware restrictions. Any users in this group who are also members of your organization must satisfy the access level created earlier to access the Cloud Console and the Google Cloud APIs.

Granting the required IAM permissions

Grant the IAM permissions at the organization level that will be required to create Access Context Manager access bindings.

Console

  1. Go to the IAM & Admin page in the Cloud Console.

    Go to IAM & Admin

  2. Click Add and configure the following:

    • New members: Specify the user or group you want to grant the permissions.
    • Select a role: Select Access Context Manager > Cloud Access Binding Admin.
  3. Click Save.

gcloud

  1. Ensure that you are authenticated with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin role.

    Once you've confirmed you have the right permissions, log in with:

    gcloud auth login
    
  2. Assign the GcpAccessAdmin role by running the following command:

    gcloud organizations add-iam-policy-binding ORG_ID \
      --member=user:EMAIL \
      --role=roles/accesscontextmanager.gcpAccessAdmin
    
    • ORG_ID is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:

       gcloud organizations list
      
    • EMAIL is the email address of the person or group you want to grant the role.

Creating an access binding

You can now create an access binding, which is a mapping between the group of users you created earlier and the Access Context Manager access level you defined for accessing the Cloud Console and Google Cloud APIs.

Console

  1. Go to the BeyondCorp Enterprise page in the Cloud Console.

    Go to BeyondCorp Enterprise

  2. Choose an organization and click Select.

  3. Click Manage access to choose which user groups should have access.

  4. Click Add and configure the following:

    • Member groups: Specify the group you want to grant access. Only groups not already bound to an access level are available to be selected.
    • Select access levels: Choose the access level that should be applied to the group.
  5. Click Save.

gcloud

You can refer to the Cloud SDK for more information on this and other gcloud access-context-manager cloud-bindings commands, including additional flag options.

gcloud access-context-manager cloud-bindings create \
    --group-key GROUP_ID \
    --level ACCESS_LEVEL \
    --organization ORG_ID
  • Replace GROUP_ID with the Group ID for the group of users you created earlier.

  • ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

  • If the access-context-manager/organization property hasn't been preset, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.

API

  1. Craft a request body:

    {
      "groupKey": "GROUP_ID",
      "accessLevels": [ "ACCESS_LEVEL" ]
    }
    
    • Replace GROUP_ID with the Group ID for the group of users you created earlier.

    • ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

  2. Create the access binding by calling the gcpUserAccessBindings endpoint, replacing ORG_ID with the ID for the organization that you used when creating the GcpAccessAdmin role:

    POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings
    

    This returns a GcpUserAccessBinding resource as a response, which is formatted as:

    {
      // Unique name for the access binding, in the form
      // "organizations/ORG_ID/gcpUserAccessBindings/BINDING_ID"
      name: string,
    
      // Unique Group ID.
      group_key: string,
    
      // The access level that users of the group must satisfy, in the form
      // "accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME"
      access_levels: [ string ]
    }
    

Verifying success

Once the access bindings have been set up for a group of users, access to the Cloud Console and Google Cloud APIs should be controlled based on satisfaction of the bound access level.

You can verify that the binding was created successfully, edit it, or delete it.

Console

After you've created an access binding, all access bindings for the organization are displayed and can be edited or deleted as required.

gcloud

  • To view all the access bindings in an organization:

    gcloud access-context-manager cloud-bindings list \
        --organization ORG_ID
    

    If the access-context-manager/organization property hasn't been preset, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.

  • To modify an access binding, such as to change the access level:

    gcloud access-context-manager cloud-bindings update \
        --binding ACCESS_BINDING \
        --level ACCESS_LEVEL
    

    Replace ACCESS_BINDING with organizations/ORG_ID/gcpUserAccessBindings/ACCESS_BINDING_NAME where ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role and ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.

    The value for ACCESS_LEVEL should be formatted as when the binding was created for the resource.

  • To delete a particular access binding:

    gcloud access-context-manager cloud-bindings delete \
        --binding ACCESS_BINDING
    

    Format the value for ACCESS_BINDING in the same manner as described for modifying an access binding.

API

  • To view all the access bindings in an organization:

    GET https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings
    

    This returns a list of GcpUserAccessBinding resources.

  • To modify an access binding, such as to change the access level, craft a request body that defines the change and then call the endpoint with the name of the resource:

    {
      "accessLevels": [ "ACCESS_LEVEL" ]
    }
    

    Format the value for ACCESS_LEVEL as when the binding was created for the resource.

    PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels
    

    Replace ACCESS_BINDING_NAME with the unique string returned for the name identifier when the access binding was created.

  • To delete a particular GcpUserAccessBinding resource, call the endpoint with the name of the resource:

    DELETE https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME
    

    Replace ACCESS_BINDING_NAME with the unique string returned for the name identifier when the access binding was created.

Frequently asked questions

  • How long does it take for a newly created access binding to take effect?

    It might take up to 24 hours.

  • What happens if I delete a group which has an access binding?

    The group and the binding are deleted and all users in the group are allowed access.

  • What happens if I delete the access level which is used in an access binding?

    The access level can never be satisfied and all users of the bound group are denied access.

  • What happens when a user is in multiple groups that have access bindings?

    The user only needs to satisfy the access level of one of those groups to gain access.

  • What about users who aren't part of my organization?

    Anyone not part of your organization, even if you've added them to the group of users that should be bound by context-aware restrictions, are not subject to the access binding.

What's next