This document explains how to approve an Access Approval request.
Before you begin
Make sure that you understand the concepts in the Overview page.
Grant the Access Approval Approver (
roles/accessapproval.approver) IAM role on the project, folder, or organization to the principal who you want to be able to perform approvals. You can grant the Access Approval Approver IAM role to either an individual user, a service account, or a Google group.
If you are using a custom signing key, you must also grant the Cloud KMS CryptoKey Signer/Verifier (
roles/cloudkms.signerVerifier) IAM role to the Access Approval service account for your resource. If you are using a Google-managed signing key, you don't need to provide any other permissions.
For information about granting an IAM role, see Grant a single role.
Configure settings to receive notifications
You have the following options for receiving Access Approval requests:
- Receive requests through email.
- Receive requests through Pub/Sub.
You can also choose both these options.
Receive requests through email
To receive Access Approval requests through email, follow the instructions in Setting up email notifications section of the quickstart document.
Receive requests through Pub/Sub
To use Pub/Sub, do the following:
- Create a topic in Pub/Sub in the project that should approve requests. You can have a single Pub/Sub topic that should receive requests for all projects, or separate Pub/Sub topics in each project.
Using the Google Cloud console, give the approval service account
Pub/Sub Publisher (
roles/pubsub.publisher) IAM role on the Pub/Sub topic. You must grant the required permissions to the following service account:
Contact Cloud Customer Care, and provide the following details:
- The names of the Pub/Sub topics you have created.
- The unique identifier (folder ID, project number, or organization ID) of the resource for which the topic should receive notifications.
After completing the preceding procedure, you can expect to receive messages in your Pub/Sub topic that correspond to Access Approval requests.
Approve Access Approval requests
After you have enrolled some users as approvers, those users receive all access requests.
To approve an Access Approval request using the console, do the following:
To see all your pending approval requests, go to the Access Approval page in the console.
If you have opted to receive Access Approval requests through email, you can also go to this page by clicking the link in the email sent to you with the approval request.
To approve a request, click Approve.
You also have the option of dismissing the request. Dismissing the request is optional because access continues to be denied even if you don't dismiss the request.
If you don't approve the Google employee's access request within 14 days or before the request expires, the request is automatically dismissed.
In the dialog box that opens, select the date and time when you want the access to expire.
Select Approve to approve access till the set expiration date and time.
To approve an Access Approval request using cURL, do the following:
- Take the
approvalRequestname from the Pub/Sub message.
Make an API call to approve or dismiss that
# HTTP POST request with empty body (an effect of using -d '') # service-account-credential.json is attained by going to the # IAM -> Service Accounts menu in the cloud console and creating # a service account. curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \ -d '' https://accessapproval.googleapis.com/v1/projects/<var>PROJECT_ID</var>/approvalRequests/<var>APPROVAL_REQUEST_ID</var>:approve
You can reply to a request with one of the following options:
Action Effect Google access state
Approves the request. Denied before approval, approved after approval.
Dismisses the request for approval. We recommend dismissing the access request instead of not taking any action. Dismissing the access request prompts the Google employee to follow up. Denied before dismissal, denied after dismissal. No action Google employee access is still denied. Google employee needs to open a new request to access the resource after the
Denied before no action, denied after expiration time.
After you approve the request, the request status changes to
Google employee with characteristics matching the approval scope can make an
access within the approved time frame. These matching characteristics include
the same justification, location, or desk location.
Access Approval doesn't provide any IAM role or any new permission to the Google employee who requested access.
If you don't approve the Google employee's access request, access is denied to the Google employee. Dismissing the request only removes it from your list of pending requests. If you fail to dismiss an approval request, access continues to be denied.
After enabling, Access Transparency logs all accesses to core customer content that you approve.
Access to Google personnel is allowed until the approval expires or the justification for access is no longer valid. For example, access expires if the support case for which Google personnel requested access is closed.
- Learn about the actions by Google personnel that are excluded from Access Approval notifications.
- Learn about the fields in an Access Approval request.