Learn how to use Access Approval to approve an access request.
Prerequisites
Before you learn how to approve an Access Approval request, make sure that you understand the concepts in the Overview page.
Receiving notifications
There are two options for receiving Access Approval requests: receive via email or use Pub/Sub (or both at the same time).
To receive via email, follow the steps in the Setting up email notifications section of the Quickstart.
To use Pub/Sub, follow the steps below.
- Create a topic in Pub/Sub in the project that will be approving requests. You can have a single Pub/Sub topic that will receive requests for all projects, or separate Pub/Sub topics in each project.
- Using the Google Cloud Console, give the approval service account
Pub/Sub Publisher role on the Pub/Sub topic. The service account
you need to give permissions to is
customer-approval-jobs@system.gserviceaccount.com. - Contact Google Cloud Support, and provide them the name or names of the Pub/Sub topic/s you have created and the project/folder/organization ids for which the topic should receive notifications.
Once this is complete, you will begin receiving messages in your Pub/Sub topic that correspond to Access Approval requests.
The following is a sample Access Approval request:
{
"name": "projects/123456/approvalRequests/xyzabc123",
"requestedResourceName": "projects/123456",
"requestedReason": {
"detail": "Case number: bar123"
"type": "CUSTOMER_INITIATED_SUPPORT"
},
"requestedLocations": {
"principalOfficeCountry": "US",
"principalPhysicalLocationCountry": "US"
},
"requestTime": "2018-08-28T19:07:12.286Z",
"requestedExpiration": "2018-09-02T19:07:11.877Z"
}
Configuring Access Approvers in your Organization
Go to the IAM settings page for your project.
Grant the IAM role Access Approvals Approver on the project, folder, or organization to the principal (either a service account or a human) who will perform approvals.
Approving Access Approval requests
In order to approve an Access Approval request, follow these steps:
Before you begin, be sure that you have the IAM role Access Approvals Approver on the project, folder, or organization.
Console
- Go to Security section of the Google Cloud Console and select
Access Approval to bring up the panel with all your current approval
requests.
- You can also click the link in the email sent to you with the approval request to be taken to this page.
To approve a request, press the Approve button.
In the dialog box that opens, select a date and time when you want the access to expire.
Select Approve to approve access till the set expiration date and time.
Once the request is approved, the request will become 'approved'. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame. If the request is not approved, the Google employee access will be denied. Dismissing the request only removes it from your list of pending requests, and if you fail to dismiss an approval request, access will continue to be denied.
cURL
- Take the
approvalRequestname from the Pub/Sub message. Make an API call to approve or dismiss that
approvalRequest.# HTTP POST request with empty body (an effect of using -d '') # service-account-credential.json is attained by going to the # IAM -> Service Accounts menu in the cloud console and creating # a service account. curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \ -d '' https://accessapproval.googleapis.com/v1/projects/[PROJECT_ID]/approvalRequests/[APPROVAL_REQUEST_ID]:approveOnce the request is approved the request will become 'approved'. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame.
If the request is not approved or dismissed, the Google employee access will be denied.
The options you have for replying to a request include:
| Action | Effect | Google access state |
|---|---|---|
| :approve | Approves the request. | Denied before approval, approved after approval. |
| :dismiss | Dismisses the request for approval. This mechanism is preferred over no action as it alerts the Google employee that the request was dismissed to allow for follow-up. | Denied before dismissal, denied after dismissal. |
| No action | Google employee access is still denied. Google employee needs to open a new request to access the resource after the requestedExpiration time passes. | Denied before no action, denied after expiration time. |
Listing historical approval requests
Console
To list historical approval requests:
In the Google Cloud Console, select Security and then Access Approval.
At the top of the Access Approval page, click the History tab.
A table appears that includes all requests that are approved, dismissed, or expired.
To view details about a specific request, in the Details & logs column, click Details.
To view audit logs and Access Transparency logs related to a specific request, in the Details panel, click the Logs tab.
You can also see historical approvals in your Cloud Audit Logs by visiting
Cloud Logging. You can filter by the
Audited Resource accessapproval.googleapis.com if your project has audit
logging enabled.
cURL
curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
https://accessapproval.googleapis.com/v1/projects/<var>PROJECT_ID</var>/approvalRequests?filter=ALL
By default, the API lists all unapproved plus approved, non-expired requests. There is a filter parameter to do things such as listing all dismissed requests. See the API documentation for details.
You will receive a list of historical access approvals together with status.
{
"approvalRequests": [
{
"name": "projects/123456/approvalRequests/xyzabc123",
"requestedResourceName": "projects/123456",
"requestedReason": {
"detail": "Case number: bar123"
"type": "CUSTOMER_INITIATED_SUPPORT"
},
"requestedLocations": {
"principalOfficeCountry": "US",
"principalPhysicalLocationCountry": "US"
},
"requestTime": "2018-08-30T17:49:13.712Z",
"requestedExpiration": "2018-09-04T17:49:13.540Z",
"approve": {
"approveTime": "2018-08-30T17:49:15.737Z",
"expireTime": "2018-09-04T17:49:13.540Z"
}
}
]
}
What's next
- For information on Google actions that are excluded from Access Approval notifications, see Access Approval exclusions.