This document explains how to approve an Access Approval request.
Before you begin
Make sure that you understand the concepts in the Overview page.
Grant the Access Approval Approver (
roles/accessapproval.approver) IAM role on the project, folder, or organization to the principal who you want to be able to perform approvals. You can grant the Access Approval Approver IAM role to either an individual user or a Google group.
If you are using a custom signing key, you must also grant the Cloud KMS CryptoKey Signer/Verifier (
roles/cloudkms.signerVerifier) IAM role to the Access Approval service account for your resource. If you are using a Google-managed signing key, you don't need to provide any other permissions.
For information about granting an IAM role, see Grant a single role.
Configure settings to receive notifications
You have the following options for receiving Access Approval requests:
- Receive requests through email.
- Receive requests through Pub/Sub.
You can also choose both these options.
Receive requests through email
To receive Access Approval requests through email, follow the instructions in Setting up email notifications section of the quickstart document.
Receive requests through Pub/Sub
To use Pub/Sub, do the following:
- Create a topic in Pub/Sub in the project that should approve requests. You can have a single Pub/Sub topic that should receive requests for all projects, or separate Pub/Sub topics in each project.
Using the Google Cloud Console, give the approval service account
Pub/Sub Publisher (
roles/pubsub.publisher) IAM role on the Pub/Sub topic. You must grant the required permissions to the following service account:
Contact Cloud Customer Care, and provide the following details:
- The names of the Pub/Sub topics you have created.
- The unique identifier (folder ID, project number, or organization ID) of the resource for which the topic should receive notifications.
After completing the preceding procedure, you can expect to receive messages in your Pub/Sub topic that correspond to Access Approval requests.
Approve Access Approval requests
After you have enrolled some users as approvers, those users receive all access requests.
To approve an Access Approval request using the Cloud Console, do the following:
To see all your pending approval requests, go to the Access Approval page in the Cloud Console.
If you have opted to receive Access Approval requests through email, you can also go to this page by clicking the link in the email sent to you with the approval request.
To approve a request, click Approve.
In the dialog box that opens, select the date and time when you want the access to expire.
Select Approve to approve access till the set expiration date and time.
After you approve the request, the request status changes to
Approved. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame. If you don't approve the request, the Google employee's access request is denied. Dismissing the request only removes it from your list of pending requests. If you fail to dismiss an approval request, access continues to be denied.
To approve an Access Approval request using cURL, do the following:
- Take the
approvalRequestname from the Pub/Sub message.
Make an API call to approve or dismiss that
# HTTP POST request with empty body (an effect of using -d '') # service-account-credential.json is attained by going to the # IAM -> Service Accounts menu in the cloud console and creating # a service account. curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \ -d '' https://accessapproval.googleapis.com/v1/projects/<var>PROJECT_ID</var>/approvalRequests/<var>APPROVAL_REQUEST_ID</var>:approve
You can reply to a request with one of the following options:
Action Effect Google access state
Approves the request. Denied before approval, approved after approval.
Dismisses the request for approval. We recommend dismissing the access request instead of not taking any action. Dismissing the access request prompts the Google employee to follow up. Denied before dismissal, denied after dismissal. No action Google employee access is still denied. Google employee needs to open a new request to access the resource after the
Denied before no action, denied after expiration time.
Upon approval, the status of the request changes to
Approved. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame.
If you don't approve or dismiss the request, the Google employee's access request is denied.
- Learn about the actions by Google personnel that are excluded from Access Approval notifications.
- Learn about the fields in an Access Approval request.