Approving Access Approval requests

This document explains how to approve an Access Approval request.

Before you begin

Make sure that you understand the concepts in the Overview page.
Grant the Access Approval Approver (roles/accessapproval.approver) IAM role on the project, folder, or organization to the principal who you want to be able to perform approvals. You can grant the Access Approval Approver IAM role to either an individual user or a Google group.

If you are using a custom signing key, you must also grant the Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier) IAM role to the Access Approval service account for your resource. If you are using a Google-managed signing key, you don't need to provide any other permissions.

For information about granting an IAM role, see Grant a single role.

Configure settings to receive notifications

You have the following options for receiving Access Approval requests:

Receive requests through email.
Receive requests through Pub/Sub.

You can also choose both these options.

Receive requests through email

To receive Access Approval requests through email, follow the instructions in Setting up email notifications section of the quickstart document.

Receive requests through Pub/Sub

To use Pub/Sub, do the following:

Create a topic in Pub/Sub in the project that should approve requests. You can have a single Pub/Sub topic that should receive requests for all projects, or separate Pub/Sub topics in each project.
Using the Google Cloud Console, give the approval service account Pub/Sub Publisher (roles/pubsub.publisher) IAM role on the Pub/Sub topic. You must grant the required permissions to the following service account:
customer-approval-jobs@system.gserviceaccount.com
Contact Cloud Customer Care, and provide the following details:
- The names of the Pub/Sub topics you have created.
- The unique identifier (folder ID, project number, or organization ID) of the resource for which the topic should receive notifications.

After completing the preceding procedure, you can expect to receive messages in your Pub/Sub topic that correspond to Access Approval requests.

Approve Access Approval requests

After you have enrolled some users as approvers, those users receive all access requests.

Console

To approve an Access Approval request using the Cloud Console, do the following:

To see all your pending approval requests, go to the Access Approval page in the Cloud Console.

Go to Access Approval

If you have opted to receive Access Approval requests through email, you can also go to this page by clicking the link in the email sent to you with the approval request.
To approve a request, click Approve.

Note: You also have the option of dismissing the request. Dismissing the request is optional because access continues to be denied even if you don't dismiss the request.
In the dialog box that opens, select the date and time when you want the access to expire.

Note: Bulk approve option doesn't let you select the expiration date and time.
Select Approve to approve access till the set expiration date and time.

After you approve the request, the request status changes to Approved. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame. If you don't approve the request, the Google employee's access request is denied. Dismissing the request only removes it from your list of pending requests. If you fail to dismiss an approval request, access continues to be denied.

cURL

To approve an Access Approval request using cURL, do the following:

Take the approvalRequest name from the Pub/Sub message.

Make an API call to approve or dismiss that approvalRequest.

 # HTTP POST request with empty body (an effect of using -d '')
 # service-account-credential.json is attained by going to the
 # IAM -> Service Accounts menu in the cloud console and creating
 # a service account.
 curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
   -d '' https://accessapproval.googleapis.com/v1/projects/<var>PROJECT_ID</var>/approvalRequests/<var>APPROVAL_REQUEST_ID</var>:approve

You can reply to a request with one of the following options:

Action	Effect	Google access state
`:approve`	Approves the request.	Denied before approval, approved after approval.
`:dismiss`	Dismisses the request for approval. We recommend dismissing the access request instead of not taking any action. Dismissing the access request prompts the Google employee to follow up.	Denied before dismissal, denied after dismissal.
No action	Google employee access is still denied. Google employee needs to open a new request to access the resource after the `requestedExpiration` time passes.	Denied before no action, denied after expiration time.

Upon approval, the status of the request changes to Approved. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame.
If you don't approve or dismiss the request, the Google employee's access request is denied.

What's next

Learn about the actions by Google personnel that are excluded from Access Approval notifications.
Learn about the fields in an Access Approval request.