Secure the Google Cloud console and the Google Cloud APIs

This document shows you how to secure the access to Google Cloud console and Google Cloud APIs by using the context-based rules.

Context-Aware Access for the Google Cloud console and the Google Cloud APIs restricts access to the Google Cloud console and the Google Cloud APIs with context-based rules. It is part of Chrome Enterprise Premium and helps to ensure that individuals and groups within your organization satisfying the defined access requirements are able to access the Google Cloud console and the Google Cloud APIs (including the access from the Google Cloud CLI).

To secure Google Cloud console and Google Cloud APIs, complete the following steps:

[Optional] Deploy Endpoint Verification to devices in your organization.
Create an access level in Access Context Manager.
Create a group of users to be bound by context-aware restrictions.
Obtain the required Identity and Access Management permissions.
Create an access binding that enforces context-aware rules for the Google Cloud console and the Google Cloud APIs.

[Optional] Deploy Endpoint Verification

If you want to secure the access to the Google Cloud console and Google Cloud APIs by using the device attributes, deploy Endpoint Verification to devices in your organization.

Endpoint Verification runs as a Chrome extension on desktops and laptops for users of MacOS, Windows, and Linux. An admin can deploy it to the organization's company-owned devices from the Google Admin console or members of the organization can install it themselves.

Create an access level

You need to define an access level that can be used when determining access to the Google Cloud console and the Google Cloud APIs by creating a basic access level in Access Context Manager.

Create a group of users

Create a group of users that should be bound by context-aware restrictions. Any users in this group who are also members of your organization must satisfy the access level that you created earlier to access the Google Cloud console and the Google Cloud APIs.

Grant the required IAM permissions

Grant the IAM permissions at the organization level that will be required to create Access Context Manager access bindings.

Console

Go to the IAM & Admin page in the Google Cloud console.

Go to IAM & Admin
Click Add and configure the following:
- New members: Specify the user or group you want to grant the permissions.
- Select a role: Select Access Context Manager > Cloud Access Binding Admin.
Click Save.

gcloud

Ensure that you are authenticated with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin role.

Once you've confirmed you have the right permissions, log in with:
```
gcloud auth login
```
Assign the GcpAccessAdmin role by running the following command:
```
gcloud organizations add-iam-policy-binding ORG_ID \
  --member=user:EMAIL \
  --role=roles/accesscontextmanager.gcpAccessAdmin
```
- ORG_ID is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:
```
 gcloud organizations list
```
- EMAIL is the email address of the person or group you want to grant the role.
Note: For read-only access to the bindings, you can assign the accesscontextmanager.gcpAccessReader role.

Create an access binding

An access binding is a mapping between the group of users that you created earlier and the Access Context Manager access level that you defined for accessing the Google Cloud console and Google Cloud APIs.

Access bindings let you define how user groups can access your Google Cloud APIs and applications. You can achieve this by linking a group of users to an access level, which defines the permissions and restrictions applied to the group's access to applications.

You can specify applications in access bindings using their OAuth Client ID. You can specify the following applications using their name:

Google Cloud console
Google Cloud SDK
Google Auth Library If you use the Application Default Credentials (ADC) generated by the gcloud CLI and you want to use the name, you must use the default client ID built into the gcloud CLI. You cannot provide a client ID file to the gcloud CLI.

You can create the following types of access bindings:

Bind user groups to access levels: Apply an access level globally to all client applications used by a specific user group. This is a broad approach suitable for scenarios where consistent access control is required across all applications.
Bind user groups to application-specific access levels: For more granular control, you can assign different access levels to specific applications for a user group. This prevents unintended restrictions by tailoring access based on the application's needs and sensitivity.
Bind user groups to access levels with dry run configuration: Before fully implementing access bindings, you can test the impact of your changes using a dry run configuration. This allows you to identify and address any potential issues before they affect users.

You can create the following types of access bindings with dry run configurations:
- Between a group and a dry run access level
- Between a group, a regular access level, and a dry run access level
- Between a group and a map of applications, each with regular and dry run access levels

Create an access binding with an access level

Console

Go to the Chrome Enterprise Premium page in the Google Cloud console.

Go to Chrome Enterprise Premium
Choose an organization and click Select.
Click Manage access to choose which user groups should have access.
Click Add and configure the following:
- Member groups: Specify the group you want to grant access. Only groups not already bound to an access level are available to be selected.
- Select access levels: Choose the access level that should be applied to the group.
Click Save.

gcloud

You can refer to the Google Cloud CLI for more information on this and other gcloud access-context-manager cloud-bindings commands, including additional flag options.

 gcloud access-context-manager cloud-bindings create \
    --group-key GROUP_ID \
    --level ACCESS_LEVEL \
    --organization ORG_ID

Where:

GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
POLICY_ID is the ID of your organization's access policy.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
POLICY_ID is the ID of your organization's access policy.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

HTTP method and URL:

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

Request JSON body:

{
  "groupKey": "GROUP_ID",
  "accessLevels": [ "ACCESS_LEVEL" ],
}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ]
}

Create an access binding with a map of applications to access levels

Binding with a map of applications to access levels lets you apply access levels to specific applications, avoiding unintended effects on other applications. This type of binding supports the following types of use cases:

Restrict access to select applications: Apply access levels to specific applications without affecting other applications.

Example: You want to implement certificate-based access (mTLS) for the Google Cloud APIs, starting with the Google Cloud console. You can create a binding that applies mTLS only to the Google Cloud console, leaving other applications unaffected. Later, you can expand this to other applications as needed, using dry runs and audit logs to guide your decisions.
Exempt applications from global policies: Exclude specific applications from broadly applied access levels.

Example: Your organization implements an IP-based access policy for all Google Cloud APIs. However, this causes issues for two Docker applications. You can create exemptions for the Docker applications, allowing them to bypass the global IP restrictions.

Create an access binding that restricts client applications

gcloud

Create an access binding.

gcloud access-context-manager cloud-bindings create \
 --organization ORG_ID \
 --group-key GROUP_ID \
 --binding-file BINDING_FILE_PATH

Replace the following:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
BINDING_FILE_PATH is the path to the YAML file that contains the access binding scheme. The binding file supports only scopedAccessSettings.

Following is an example binding file that binds the Google Cloud console, and a user's OAuth application to two distinct access levels.

  scopedAccessSettings:
  - scope:
     clientScope:
       restrictedClientApplication:
         name: Cloud Console
    activeSettings:
      accessLevels:
      - ACCESS_LEVEL_1
  - scope:
     clientScope:
       restrictedClientApplication:
         client_id: CLIENT_ID
     activeSettings:
       accessLevels:
       - ACCESS_LEVEL_2

Replace the following:

ACCESS_LEVEL_1 An access level that defines the access condition to a client application.
CLIENT_ID The OAuth client ID of the application.
ACCESS_LEVEL_2 An access level that defines the access condition to a client application.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
CLIENT_ID The OAuth client ID of the application.
ACCESS_LEVEL_1 An access level that defines the access condition to a client application.
ACCESS_LEVEL_2 An access level that defines the access condition to a client application.

HTTP method and URL:

POST
https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

The following request JSON body binds the Google Cloud console and a user's OAuth application to two distinct access levels.

{
     "group_key": "{GROUP_ID}",
     "scoped_access_settings": [
        {
            "scope": {
              "client_scope": {
                  "restricted_client_application": {
                      "name": "Cloud Console"
                  }
              }
          },
          "active_settings": {
              "access_levels": [
                 {ACCESS_LEVEL_1}
              ]
          }
      },
      {
          "scope": {
              "client_scope": {
                  "restricted_client_application": {
                      "client_id": "{CLIENT_ID}"
                  }
              }
          },
            "active_settings": {
              "access_levels": [
                  "{ACCESS_LEVEL_2}"
              ]
          }
      }
  ]
}

To send your request, choose one of the following options:

curl

The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login, or by using Cloud Shell, which automatically logs you into the gcloud CLI. You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and run the following command:

curl -X POST \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json; charset=utf-8" \
  -d @request.json \
  "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

You should receive a JSON response similar to the following:

{
"name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
"groupKey": "045jfvxd0ybeul8",
"accessLevels": [
 "accessPolicies/305009197125/accessLevels/device_lock"
]
}

PowerShell

The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login. You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and run the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
 -Method POST `
 -Headers $headers `
 -ContentType: "application/json; charset=utf-8" `
 -InFile request.json `
 -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
"name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
"groupKey": "045jfvxd0ybeul8",
"accessLevels": [
 "accessPolicies/305009197125/accessLevels/device_lock"
]
}

You should receive a JSON response similar to the following:

{
  "name": "organizations/660620010374/gcpUserAccessBindings/aAQS-YRQXEDW8mJ4tE5U7VIDwBczxhxwtfUaDkUDLBKBIPvzH",
  "groupKey": "019c6y182grvb0j",
  "scopedAccessSettings": [
    {
      "scope": {
        "clientScope": {
          "restrictedClientApplication": {
            "name": "Cloud Console"
          }
        }
      },
      "activeSettings": {
        "accessLevels": [
          "accessPolicies/244346580249/accessLevels/requireMutualTLS"
        ]
      }
    },
    {
      "scope": {
        "clientScope": {
          "restrictedClientApplication": {
            "clientId": "32555940559.apps.googleusercontent.com"
          }
        }
      },
      "activeSettings": {
        "accessLevels": [
          "accessPolicies/244346580249/accessLevels/requireMutualTLS"
        ]
      }
    }
  ]
}

Create an access binding that exempts client applications

gcloud

Create an access binding.

gcloud access-context-manager cloud-bindings create \
--organization {ORG_ID} \
--group-key {GROUP_ID} \
--level {ACCESS_LEVEL} \
--binding-file {BINDING_FILE_PATH}

Replace the following:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level. This access level defines the access condition that is globally applied to all of the client applications.
BINDING_FILE_PATH is the path to the YAML file that contains the access binding scheme. The binding file supports only scopedAccessSettings. For the exemption use case, this binding file contains the applications exempted from the access level.

Following is an example binding file that binds the Google Cloud console and a user's OAuth application to two distinct access levels.

scopedAccessSettings:
- scope:
   clientScope:
     restrictedClientApplication:
       name: Cloud Console
  activeSettings:
    accessLevels:
    - {EXEMPTION_ACCESS_LEVEL}
- scope:
   clientScope:
     restrictedClientApplication:
       client_id: {CLIENT_ID}
   activeSettings:
     accessLevels:
     - {EXEMPTION_ACCESS_LEVEL}

Replace the following:

EXEMPTION_ACCESS_LEVEL You can create an exemption access level in one of the following ways:
- Create a custom access level and provide true as the value in the CEL expression condition.
- Create an IP range-based basic access level and provide 0.0.0.0/0 as the value for IP subnetworks.
CLIENT_ID The OAuth client ID of the application.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
ACCESS_LEVEL: An access level that defines the access condition that is globally applied to all of the client applications.
EXEMPTION_ACCESS_LEVEL You can create an exemption access level in one of the following ways:
- Create a custom access level and provide true as the value in the CEL expression condition.
- Create an IP range-based basic access level and provide 0.0.0.0/0 as the value for IP subnetworks.
CLIENT_ID The OAuth client ID of the application.

HTTP method and URL:

POST
https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

The following request JSON body exempts the Google Cloud console and a user's OAuth application from the globally applied access level.

{
    "group_key": "{GROUP_ID}",
    "access_levels": [
       {ACCESS_LEVEL}
    ],
    "scoped_access_settings": [
        {
            "scope": {
                "client_scope": {
                    "restricted_client_application": {
                        "name": "Cloud Console"
                    }
                }
            },
            "active_settings": {
                "access_levels": [
                   {EXEMPTION_ACCESS_LEVEL}
                ]
            }
        },
        {
            "scope": {
                "client_scope": {
                    "restricted_client_application": {
                        "client_id": "{CLIENT_ID}"
                    }
                }
            },
            "active_settings": {
                "access_levels": [
                    "{EXEMPTION_ACCESS_LEVEL}"
                ]
            }
        }
    ]
}

To send your request, choose one of the following options:

curl

Save the request body in a file named request.json, and run the following command:

curl -X POST \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json; charset=utf-8" \
  -d @request.json \
  "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

You should receive a JSON response similar to the following:

{
"name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
"groupKey": "045jfvxd0ybeul8",
"accessLevels": [
 "accessPolicies/305009197125/accessLevels/device_lock"
]
}

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
 -Method POST `
 -Headers $headers `
 -ContentType: "application/json; charset=utf-8" `
 -InFile request.json `
 -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
"name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
"groupKey": "045jfvxd0ybeul8",
"accessLevels": [
 "accessPolicies/305009197125/accessLevels/device_lock"
]
}

You should receive a JSON response similar to the following:

  {
      "name": "organizations/660620010374/gcpUserAccessBindings/aAQS-YRQXEDW8mJ4tE5U7VIDwBczxhxwtfUaDkUDLBKBIPvzH",
      "groupKey": "019c6y182grvb0j",
      "accessLevels": [
        "accessPolicies/244346580249/accessLevels/requireMutualTLS"
      ],
      "scopedAccessSettings": [
        {
          "scope": {
            "clientScope": {
              "restrictedClientApplication": {
                "name": "Cloud Console"
              }
            }
          },
          "activeSettings": {
            "accessLevels": [
              "accessPolicies/244346580249/accessLevels/AlwaysTrue"
            ]
          }
        },
        {
          "scope": {
            "clientScope": {
              "restrictedClientApplication": {
                "clientId": "32555940559.apps.googleusercontent.com"
              }
            }
          },
          "activeSettings": {
            "accessLevels": [
              "accessPolicies/244346580249/accessLevels/AlwaysTrue"
            ]
          }
        }
      ]
  }
  ```

Create an access binding with dry run configuration

You can create an access binding with dry run configuration to understand the impact of the access levels in your environment in the following scenarios:

To evaluate the impact of an access level before enforcing it, create an access binding with a dry run access level.
To enforce an access level and evaluate the impact of a dry run access level at the same time, create an access binding with an active access level and with a dry run access level.

An access binding with a dry run access level does not prevent access, but logs the violations of the dry run access level. To view the log details, see the denial logs.

Create an access binding with a dry run access level

gcloud

    gcloud access-context-manager cloud-bindings create \
    --group-key GROUP_ID \
    --dry-run-level DRY_RUN_ACCESS_LEVEL \
    --organization ORG_ID

Where:

GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
POLICY_ID is the ID of your organization's access policy.
DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
POLICY_ID is the ID of your organization's access policy.
DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

HTTP method and URL:

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

Request JSON body:

{
  "groupKey": "GROUP_ID",
  "dryRunAccessLevels": [ "DRY_RUN_ACCESS_LEVEL" ]
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",

  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}

Create an access binding with an access level and a dry run access level

gcloud

    gcloud access-context-manager cloud-bindings create \
    --group-key GROUP_ID \
    --level ACCESS_LEVEL \
    --dry-run-level DRY_RUN_ACCESS_LEVEL \
    --organization ORG_ID

Where:

GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
POLICY_ID is the ID of your organization's access policy.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
POLICY_ID is the ID of your organization's access policy.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

HTTP method and URL:

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

Request JSON body:

{
  "groupKey": "GROUP_ID",
  "accessLevels": [ "ACCESS_LEVEL" ],
  "dryRunAccessLevels": [ "DRY_RUN_ACCESS_LEVEL" ]
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ],
  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}

Create an access binding with a map of applications to access levels and dry run access levels

gcloud

Create an access binding.

 gcloud access-context-manager cloud-bindings create \
  --organization ORG_ID \
  --group-key GROUP_ID \
  --binding-file BINDING_FILE_PATH

Replace the following:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
BINDING_FILE_PATH is the path to the YAML file that contains the access binding scheme. The binding file supports only scopedAccessSettings.

Following is an example binding file that binds the Google Cloud console and a user's OAuth application to an access level and a dry run access level.

scopedAccessSettings:
- scope:
   clientScope:
     restrictedClientApplication:
       name: Cloud Console
  activeSettings:
    accessLevels:
    - {ACCESS_LEVEL_1}
- scope:
   clientScope:
     restrictedClientApplication:
       client_id: {CLIENT_ID}
   dryRunSettings:
     accessLevels:
     - {ACCESS_LEVEL_2}

Replace the following:

ACCESS_LEVEL_1 An access level that defines the access condition to a client application.
CLIENT_ID The OAuth client ID of the application.
ACCESS_LEVEL_2 An access level that defines the access condition to a client application.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
CLIENT_ID The OAuth client ID of the application.
ACCESS_LEVEL_1 An access level that defines the access condition to a client application.
ACCESS_LEVEL_2 An access level that defines the access condition to a client application.

HTTP method and URL:

POST
https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

The following request JSON body binds the Google Cloud console and a user's OAuth application to an access level and a dry run access level.

{
    "group_key": "{GROUP_ID}",
    "scoped_access_settings": [
        {
            "scope": {
                "client_scope": {
                    "restricted_client_application": {
                        "name": "Cloud Console"
                    }
                }
            },
            "active_settings": {
                "access_levels": [
                   {ACCESS_LEVEL_1}
                ]
            }
        },
        {
            "scope": {
                "client_scope": {
                    "restricted_client_application": {
                        "client_id": "{CLIENT_ID}"
                    }
                }
            },
            "dry_run_settings": {
                "access_levels": [
                    "{ACCESS_LEVEL_2}"
                ]
            }
        }
    ]
}

To send your request, choose one of the following options:

curl

Save the request body in a file named request.json, and run the following command:

curl -X POST \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json; charset=utf-8" \
  -d @request.json \
  "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

You should receive a JSON response similar to the following:

{
"name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
"groupKey": "045jfvxd0ybeul8",
"accessLevels": [
 "accessPolicies/305009197125/accessLevels/device_lock"
]
}

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
 -Method POST `
 -Headers $headers `
 -ContentType: "application/json; charset=utf-8" `
 -InFile request.json `
 -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
"name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
"groupKey": "045jfvxd0ybeul8",
"accessLevels": [
 "accessPolicies/305009197125/accessLevels/device_lock"
]
}

You should receive a JSON response similar to the following:

{
    "name": "organizations/660620010374/gcpUserAccessBindings/aAQS-YRQXEDW8mJ4tE5U7VIDwBczxhxwtfUaDkUDLBKBIPvzH",
    "groupKey": "019c6y182grvb0j",
    "scopedAccessSettings": [
      {
        "scope": {
          "clientScope": {
            "restrictedClientApplication": {
              "name": "Cloud Console"
            }
          }
        },
        "activeSettings": {
          "accessLevels": [
            "accessPolicies/244346580249/accessLevels/requireMutualTLS"
          ]
        }
      },
      {
        "scope": {
          "clientScope": {
            "restrictedClientApplication": {
              "clientId": "32555940559.apps.googleusercontent.com"
            }
          }
        },
        "dryRunSettings": {
          "accessLevels": [
            "accessPolicies/244346580249/accessLevels/requireMutualTLS"
          ]
        }
      }
    ]
}

View the denial logs

After you have created a dry run configuration, you can review logs to identify where the dry run configuration denies access.

The following table lists the log fields that you can use to create and run the query to get the logs:

Field name	Description
`protoPayload > authenticationInfo > principalEmail`	Email ID of the principal for which the access is denied.
`protoPayload > metadata > deniedApplications`	Name of the application for which the access is denied.
`protoPayload > metadata > evaluationResult`	The evaluation result of the active access policy. Possible values: `GRANTED` or `DENIED`.
`protoPayload > metadata > appliedAccessLevels`	The applied access levels required by the active access policy.
`protoPayload > metadata > appliedDryRunAccessLevels`	The applied access levels required by the dry run access policy.
`protoPayload > metadata > dryRunEvaluationResult`	The evaluation result of the dry run access policy, which indicates the intended action when the access policy is enforced. Possible values: `GRANTED` or `DENIED`.

For details about how to create query for logs, see Logging query language.

Console

In the Google Cloud console navigation menu, click Logging, and then click Logs Explorer.

Go to Logs Explorer

In the Query field, input a query filter like the following filter, and then click Run query.

severity="ERROR" AND
(protoPayload.metadata.evaluationResult=DENIED OR protoPayload.metadata.dryRunEvaluationResult=DENIED) AND
 protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.ContextAwareAccessAuditMetadata" AND
 protoPayload.metadata.deniedApplications.name="CLOUD_PLATFORM"

View the logs under Query results.

gcloud

To view logs using gcloud CLI, run a command like the following:

gcloud logging read 'severity="ERROR" AND
  (protoPayload.metadata.evaluationResult=DENIED OR protoPayload.metadata.dryRunEvaluationResult=DENIED) AND
   protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.ContextAwareAccessAuditMetadata" AND
   protoPayload.metadata.deniedApplications.name="CLOUD_PLATFORM"'

Manage access bindings

After the access bindings are created for a group of users, access to the Google Cloud console and Google Cloud APIs are controlled based on satisfaction of the bound access level.

You can view the details of the access binding that you created, edit it, or delete it.

View access bindings

Console

You can view all access bindings for the organization and view the details of an access binding.

gcloud

To view all access bindings, run the following command:
```
  gcloud access-context-manager cloud-bindings list \
   --organization ORG_ID
```
Where:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. . If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
To view the details of an access binding, run the following command:
```
  gcloud access-context-manager cloud-bindings describe \
  --binding=BINDING_ID
```
Where:

BINDING_ID is the ID of the access-binding or fully qualified identifier for the access binding.

API

View all access bindings:

Before using any of the request data, make the following replacements:
- ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
HTTP method and URL:
```
GET https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
```
{
  "name": string,
  "groupKey": string,
  "accessLevels": [
    string
  ]
  "dryRunAccessLevels": [
  string
  ]
}
```
View the details of an access binding:

HTTP method and URL:
```
GET https://accesscontextmanager.googleapis.com/v1/BINDING_ID
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://accesscontextmanager.googleapis.com/v1/BINDING_ID"
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://accesscontextmanager.googleapis.com/v1/BINDING_ID" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
```
{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ],
  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}
```

Update access bindings

Console

You can update an access binding as required.

gcloud

To update an access binding, such as to change the access level, run the following command:
```
  gcloud access-context-manager cloud-bindings update \
     --binding ACCESS_BINDING \
     --level ACCESS_LEVEL
```
Where:
- ACCESS_BINDING is in the form organizations/ORG_ID/gcpUserAccessBindings/ACCESS_BINDING_NAME.
- ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
- Replace the value for ACCESS_LEVEL as needed. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
To update an access binding with a dry run access level, run the following command:
```
 gcloud access-context-manager cloud-bindings update --binding=ACCESS_BINDING
  --dry-run-level=DRY_RUN_ACCESS_LEVEL
```
Replace the value for DRY_RUN_ACCESS_LEVEL as needed. It is in the form accessPolicies/POLICY_ID/accessLevels/DRY_ACCESS_LEVEL_NAME.
To update an access binding and change both access level and dry run access level, run the following command:
```
 gcloud access-context-manager cloud-bindings update --binding=ACCESS_BINDING
 --level=`ACCESS_LEVEL`
 --dry-run-level=DRY_RUN_ACCESS_LEVEL
```
Replace the value for ACCESS_LEVEL and DRY_RUN_ACCESS_LEVEL as needed. ACCESS_LEVEL and DRY_RUN_ACCESS_LEVEL are in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME and DRY_RUN_ACCESS_LEVEL is the same as ACCESS_LEVEL.
To remove a dry run access level from an access binding, run the following command:

Note: For an access binding, you cannot remove the access level and dry run access level cannot be empty at the same time.
```
  gcloud access-context-manager cloud-bindings update --binding=ACCESS_BINDING
  --dry-run-level=
```

API

Update an access binding, such as to change the access level:

Before using any of the request data, make the following replacements:
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
- ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
HTTP method and URL:
```
PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels
```
Request JSON body:
```
{
    "accessLevels": [ "ACCESS_LEVEL" ]
}
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels"
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
```
{
    "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
    "groupKey": "045jfvxd0ybeul8",
    "accessLevels": [
      "accessPolicies/305009197125/accessLevels/device_lock"
    ]
}
```
Update an access binding with the dry run access level:

Before using any of the request data, make the following replacements:
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
- DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
HTTP method and URL:
```
PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels
```
Request JSON body:
```
{
  "dryRunAccessLevels": [ "DRY_RUN_ACCESS_LEVEL" ]
}
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels"
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
```
{
  name: "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",

  group_key: "045jfvxd0ybeul8",

  dry_run_access_levels: [ "accessPolicies/305009197125/accessLevels/another" ]
  }
```
Update an access binding and change both access level and dry run access level:

Before using any of the request data, make the following replacements:
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
- ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
- DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
HTTP method and URL:
```
PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels,dry_run_access_levels
```
Request JSON body:
```
{
  "accessLevels": [ "ACCESS_LEVEL" ],
  "dryRunAccessLevels": [ "DRY_RUN_ACCESS_LEVEL" ]
 }
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels,dry_run_access_levels"
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels,dry_run_access_levels" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
```
{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ],
  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}
```
Remove a dry run access level from an access binding:

Note: For an access binding, you cannot remove the access level and dry run access level cannot be empty at the same time.

Before using any of the request data, make the following replacements:
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
HTTP method and URL:
```
PATCH PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels
```
Request JSON body:
```
{
  "dryRunAccessLevels": [ ]
}
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels"
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels" | Select-Object -Expand Content
You should receive a successful status code (2xx) and an empty response.

Delete access bindings

Console

You can delete an access binding whenever required.

gcloud

   gcloud access-context-manager cloud-bindings delete \
       --binding ACCESS_BINDING

Where:

ACCESS_BINDING is in the form organizations/ORG_ID/gcpUserAccessBindings/ACCESS_BINDING_NAME.
ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.

API

Before using any of the request data, make the following replacements:

ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.

HTTP method and URL:

DELETE https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME

To send your request, choose one of these options:

curl

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME"

PowerShell

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

Frequently asked questions

How long does it take for a newly created access binding to take effect?

It might take up to 24 hours.
What happens if I delete a group which has an access binding?

The group and the binding are deleted and all users in the group are allowed access.
What happens if I delete the access level which is used in an access binding?

The access level can never be satisfied and all users of the bound group are denied access.
What happens when a user is in multiple groups that have access bindings?

The user only needs to satisfy the access level of one of those groups to gain access.
What about users who aren't part of my organization?

Anyone not part of your organization, even if you've added them to the group of users that should be bound by context-aware restrictions, are not subject to the access binding.

What's next

To learn more about the audit log for Chrome Enterprise Premium, see Audit logging.
To learn more about audit logging in Access Context Manager, including a summary of which API operations are logged for admin actions, see Access Context Manager audit logging information.