Secure the Google Cloud console and the Google Cloud APIs

This document shows you how to secure the access to Google Cloud console and Google Cloud APIs by using the context-based rules.

Context-Aware Access for the Google Cloud console and the Google Cloud APIs restricts access to the Google Cloud console and the Google Cloud APIs with context-based rules. It is part of BeyondCorp Enterprise and helps to ensure that individuals and groups within your organization satisfying the defined access requirements are able to access the Google Cloud console and the Google Cloud APIs (including the access from the Google Cloud CLI).

To secure Google Cloud console and Google Cloud APIs, complete the following steps:

[Optional] Deploy Endpoint Verification to devices in your organization.
Create an access level in Access Context Manager.
Create a group of users to be bound by context-aware restrictions.
Obtain the required Identity and Access Management permissions.
Create an access binding that enforces context-aware rules for the Google Cloud console and the Google Cloud APIs.

[Optional] Deploy Endpoint Verification

If you want to secure the access to the Google Cloud console and Google Cloud APIs by using the device attributes, deploy Endpoint Verification to devices in your organization.

Endpoint Verification runs as a Chrome extension on desktops and laptops for users of MacOS, Windows, and Linux. An admin can deploy it to the organization's company-owned devices from the Google Admin console or members of the organization can install it themselves.

Create an access level

You need to define an access level that can be used when determining access to the Google Cloud console and the Google Cloud APIs by creating a basic access level in Access Context Manager.

Note: The following access controls are not currently supported and result in access being denied:

Using an IP address as an attribute, including through geographical restrictions, when accessing from docker command-line tools.
Private IP addresses, such as when accessing private clusters from the kubectl command-line tool or when using a managed Looker instance.
Authorization to Google Cloud connectors (such as BigQuery) from Looker.

When using Looker to call the BigQuery APIs, the request from the managed Looker instance contains a private IP address, which is not supported by Access Context Manager.
Access from Looker Studio to the Google Cloud APIs (such as BigQuery) is always allowed by Access Context Manager.
Device attributes when using third-party (non-Google) OAuth client applications.

Create a group of users

Create a group of users that should be bound by context-aware restrictions. Any users in this group who are also members of your organization must satisfy the access level that you created earlier to access the Google Cloud console and the Google Cloud APIs.

Grant the required IAM permissions

Grant the IAM permissions at the organization level that will be required to create Access Context Manager access bindings.

Console

Go to the IAM & Admin page in the Google Cloud console.

Go to IAM & Admin
Click Add and configure the following:
- New members: Specify the user or group you want to grant the permissions.
- Select a role: Select Access Context Manager > Cloud Access Binding Admin.
Click Save.

gcloud

Ensure that you are authenticated with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin role.

Once you've confirmed you have the right permissions, log in with:
```
gcloud auth login
```
Assign the GcpAccessAdmin role by running the following command:
```
gcloud organizations add-iam-policy-binding ORG_ID \
  --member=user:EMAIL \
  --role=roles/accesscontextmanager.gcpAccessAdmin
```
- ORG_ID is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:
```
 gcloud organizations list
```
- EMAIL is the email address of the person or group you want to grant the role.
Note: For read-only access to the bindings, you can assign the accesscontextmanager.gcpAccessReader role.

Create an access binding

An access binding is a mapping between the group of users that you created earlier and the Access Context Manager access level that you defined for accessing the Google Cloud console and Google Cloud APIs.

You can create an access binding in one of the following ways:

Access binding between a group and an access level.
Access binding between a group and an access level with dry run configuration. With the dry run configuration, you can create an access binding between a group and a dry run access level, or between a group, an access level, and a dry run access level.

Create an access binding with an access level

Console

Go to the BeyondCorp Enterprise page in the Google Cloud console.

Go to BeyondCorp Enterprise
Choose an organization and click Select.
Click Manage access to choose which user groups should have access.
Click Add and configure the following:
- Member groups: Specify the group you want to grant access. Only groups not already bound to an access level are available to be selected.
- Select access levels: Choose the access level that should be applied to the group.
Click Save.

gcloud

You can refer to the Google Cloud CLI for more information on this and other gcloud access-context-manager cloud-bindings commands, including additional flag options.

 gcloud access-context-manager cloud-bindings create \
    --group-key GROUP_ID \
    --level ACCESS_LEVEL \
    --organization ORG_ID

Where:

GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
POLICY_ID is the ID of your organization's access policy.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
POLICY_ID is the ID of your organization's access policy.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

HTTP method and URL:

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

Request JSON body:

{
  "groupKey": "GROUP_ID",
  "accessLevels": [ "ACCESS_LEVEL" ],
}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ]
}

Create an access binding with dry run configuration

You can create an access binding with dry run configuration to understand the impact of the access levels in your environment in the following scenarios:

To evaluate the impact of an access level before enforcing it, create an access binding with a dry run access level.
To enforce an access level and evaluate the impact of a dry run access level at the same time, create an access binding with an active access level and with a dry run access level.

An access binding with a dry run access level does not prevent access, but logs the violations of the dry run access level. To view the log details, see the denial logs.

Create an access binding with a dry run access level

gcloud

    gcloud access-context-manager cloud-bindings create \
    --group-key = GROUP_ID \
    --dry-run-level = DRY_RUN_ACCESS_LEVEL \
    --organization ORG_ID

Where:

GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
POLICY_ID is the ID of your organization's access policy.
DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
POLICY_ID is the ID of your organization's access policy.
DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

HTTP method and URL:

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

Request JSON body:

{
  "groupKey": "GROUP_ID",
  "dryRunAccessLevels": [ "DRY_RUN_ACCESS_LEVEL" ]
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",

  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}

Create an access binding with an access level and a dry run access level

gcloud

    gcloud access-context-manager cloud-bindings create \
    --group-key = GROUP_ID \
    --level = ACCESS_LEVEL \
    --dry-run-level = DRY_RUN_ACCESS_LEVEL \
    --organization ORG_ID

Where:

GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
POLICY_ID is the ID of your organization's access policy.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

API

Before using any of the request data, make the following replacements:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
GROUP_ID is the Group ID for the group of users that you created earlier.
If you don't have the Group ID available, you can retrieve it by calling the get method on the Groups resource.
POLICY_ID is the ID of your organization's access policy.
ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

HTTP method and URL:

POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

Request JSON body:

{
  "groupKey": "GROUP_ID",
  "accessLevels": [ "ACCESS_LEVEL" ],
  "dryRunAccessLevels": [ "DRY_RUN_ACCESS_LEVEL" ]
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:


{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ],
  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}

View the denial logs

After you have created a dry run configuration, you can review logs to identify where the dry run configuration denies access.

The following table lists the log fields that you can use to create and run the query to get the logs:

Field name	Description
`protoPayload > authenticationInfo > principalEmail`	Email ID of the principal for which the access is denied.
`protoPayload > metadata > deniedApplications`	Name of the application for which the access is denied.
`protoPayload > metadata > evaluationResult`	The evaluation result of the active access policy. Possible values: `GRANTED` or `DENIED`.
`protoPayload > metadata > appliedAccessLevels`	The applied access levels required by the active access policy.
`protoPayload > metadata > appliedDryRunAccessLevels`	The applied access levels required by the dry run access policy.
`protoPayload > metadata > dryRunEvaluationResult`	The evaluation result of the dry run access policy, which indicates the intended action when the access policy is enforced. Possible values: `GRANTED` or `DENIED`.

For details about how to create query for logs, see Logging query language.

Console

In the Google Cloud console navigation menu, click Logging, and then click Logs Explorer.

Go to Logs Explorer

In the Query field, input a query filter like the following filter, and then click Run query.

severity="ERROR" AND
(protoPayload.metadata.evaluationResult=DENIED OR protoPayload.metadata.dryRunEvaluationResult=DENIED) AND
 protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.ContextAwareAccessAuditMetadata" AND
 protoPayload.metadata.deniedApplications.name="CLOUD_PLATFORM"

View the logs under Query results.

gcloud

To view logs using gcloud CLI, run a command like the following:

gcloud logging read 'severity="ERROR" AND
  (protoPayload.metadata.evaluationResult=DENIED OR protoPayload.metadata.dryRunEvaluationResult=DENIED) AND
   protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.ContextAwareAccessAuditMetadata" AND
   protoPayload.metadata.deniedApplications.name="CLOUD_PLATFORM"'

Manage access bindings

After the access bindings are created for a group of users, access to the Google Cloud console and Google Cloud APIs are controlled based on satisfaction of the bound access level.

You can view the details of the access binding that you created, edit it, or delete it.

View access bindings

Console

You can view all access bindings for the organization and view the details of an access binding.

gcloud

To view all access bindings, run the following command:
```
  gcloud access-context-manager cloud-bindings list \
   --organization ORG_ID
```
Where:

ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. . If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
To view the details of an access binding, run the following command:
```
  gcloud access-context-manager cloud-bindings describe \
  --binding=BINDING_ID
```
Where:

BINDING_ID is the ID of the access-binding or fully qualified identifier for the access binding.

API

View all access bindings:

Before using any of the request data, make the following replacements:
- ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.
HTTP method and URL:
```
GET https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:
```
curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"
```
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
```
{
  "name": string,
  "groupKey": string,
  "accessLevels": [
    string
  ]
  "dryRunAccessLevels": [
  string
  ]
}
```
View the details of an access binding:

HTTP method and URL:
```
GET https://accesscontextmanager.googleapis.com/v1/BINDING_ID
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:
```
curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://accesscontextmanager.googleapis.com/v1/BINDING_ID"
```
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://accesscontextmanager.googleapis.com/v1/BINDING_ID" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
```
{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ],
  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}
```

Update access bindings

Console

You can update an access binding as required.

gcloud

To update an access binding, such as to change the access level, run the following command:
```
  gcloud access-context-manager cloud-bindings update \
     --binding ACCESS_BINDING \
     --level ACCESS_LEVEL
```
Where:
- ACCESS_BINDING is in the form organizations/ORG_ID/gcpUserAccessBindings/ACCESS_BINDING_NAME.
- ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role.
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
- Replace the value for ACCESS_LEVEL as needed. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
To update an access binding with a dry run access level, run the following command:
```
 gcloud access-context-manager cloud-bindings update --binding=ACCESS_BINDING
  --dry-run-level=DRY_RUN_ACCESS_LEVEL
```
Replace the value for DRY_RUN_ACCESS_LEVEL as needed. It is in the form accessPolicies/POLICY_ID/accessLevels/DRY_ACCESS_LEVEL_NAME.
To update an access binding and change both access level and dry run access level, run the following command:
```
 gcloud access-context-manager cloud-bindings update --binding=ACCESS_BINDING
 --level=`ACCESS_LEVEL`
 --dry-run-level=DRY_RUN_ACCESS_LEVEL
```
Replace the value for ACCESS_LEVEL and DRY_RUN_ACCESS_LEVEL as needed. ACCESS_LEVEL and DRY_RUN_ACCESS_LEVEL are in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME and DRY_RUN_ACCESS_LEVEL is the same as ACCESS_LEVEL.
To remove a dry run access level from an access binding, run the following command:

Note: For an access binding, you cannot remove the access level and dry run access level cannot be empty at the same time.
```
  gcloud access-context-manager cloud-bindings update --binding=ACCESS_BINDING
  --dry-run-level=
```

API

Update an access binding, such as to change the access level:

Before using any of the request data, make the following replacements:
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
- ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
HTTP method and URL:
```
PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels
```
Request JSON body:
```
{
    "accessLevels": [ "ACCESS_LEVEL" ]
}
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
```
curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels"
```
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
```
{
    "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
    "groupKey": "045jfvxd0ybeul8",
    "accessLevels": [
      "accessPolicies/305009197125/accessLevels/device_lock"
    ]
}
```
Update an access binding with the dry run access level:

Before using any of the request data, make the following replacements:
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
- DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
HTTP method and URL:
```
PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels
```
Request JSON body:
```
{
  "dryRunAccessLevels": [ "DRY_RUN_ACCESS_LEVEL" ]
}
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
```
curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels"
```
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
```
{
  name: "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",

  group_key: "045jfvxd0ybeul8",

  dry_run_access_levels: [ "accessPolicies/305009197125/accessLevels/another" ]
  }
```
Update an access binding and change both access level and dry run access level:

Before using any of the request data, make the following replacements:
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
- ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
- DRY_RUN_ACCESS_LEVEL is the ACCESS_LEVEL for which you want to understand the effect. ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.
HTTP method and URL:
```
PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels,dry_run_access_levels
```
Request JSON body:
```
{
  "accessLevels": [ "ACCESS_LEVEL" ],
  "dryRunAccessLevels": [ "DRY_RUN_ACCESS_LEVEL" ]
 }
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
```
curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels,dry_run_access_levels"
```
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=access_levels,dry_run_access_levels" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
```
{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ],
  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}
```
Remove a dry run access level from an access binding:

Note: For an access binding, you cannot remove the access level and dry run access level cannot be empty at the same time.

Before using any of the request data, make the following replacements:
- ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.
HTTP method and URL:
```
PATCH PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels
```
Request JSON body:
```
{
  "dryRunAccessLevels": [ ]
}
```
To send your request, choose one of these options:
curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
```
curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels"
```
PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME?update_mask=dry_run_access_levels" | Select-Object -Expand Content
```
You should receive a successful status code (2xx) and an empty response.

Delete access bindings

Console

You can delete an access binding whenever required.

gcloud

   gcloud access-context-manager cloud-bindings delete \
       --binding ACCESS_BINDING

Where:

ACCESS_BINDING is in the form organizations/ORG_ID/gcpUserAccessBindings/ACCESS_BINDING_NAME.
ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.

API

Before using any of the request data, make the following replacements:

ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.

HTTP method and URL:

DELETE https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME

To send your request, choose one of these options:

curl

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME"

PowerShell

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

Frequently asked questions

How long does it take for a newly created access binding to take effect?

It might take up to 24 hours.
What happens if I delete a group which has an access binding?

The group and the binding are deleted and all users in the group are allowed access.
What happens if I delete the access level which is used in an access binding?

The access level can never be satisfied and all users of the bound group are denied access.
What happens when a user is in multiple groups that have access bindings?

The user only needs to satisfy the access level of one of those groups to gain access.
What about users who aren't part of my organization?

Anyone not part of your organization, even if you've added them to the group of users that should be bound by context-aware restrictions, are not subject to the access binding.

What's next

To learn more about the audit log for BeyondCorp Enterprise, see Audit logging.
To learn more about audit logging in Access Context Manager, including a summary of which API operations are logged for admin actions, see Access Context Manager audit logging information.