Approving Access Approval requests

This document explains how to use Access Approval to approve an access request.

Before you begin

Make sure that you understand the concepts in the Overview page.

Receive notifications

You have the following options for receiving Access Approval requests:

  • Receive requests through email.
  • Receive requests through Pub/Sub.

You can also choose both these options.

Receive requests through email

To receive Access Approval requests through email, follow the instructions in Setting up email notifications.

Receive requests through Pub/Sub

To use Pub/Sub, do the following:

  1. Create a topic in Pub/Sub in the project that should approve requests. You can have a single Pub/Sub topic that should receive requests for all projects, or separate Pub/Sub topics in each project.
  2. Using the Google Cloud Console, give the approval service account Pub/Sub Publisher (roles/pubsub.publisher) IAM role on the Pub/Sub topic. The service account you need to give permissions to is customer-approval-jobs@system.gserviceaccount.com.
  3. Contact Cloud Customer Care, and provide the following details:
    • The names of the Pub/Sub topics you have created.
    • The unique identifier (folder ID, project number, or organization ID) of the resource for which the topic should receive notifications.

Once you have followed this procedure, you are going to receive a message in your Pub/Sub topic for every Access Approval request.

The following is a sample Access Approval request:

{
  "name": "projects/123456/approvalRequests/xyzabc123",
  "requestedResourceName": "projects/123456",
  "requestedReason": {
    "detail":  "Case number: bar123"
    "type":  "CUSTOMER_INITIATED_SUPPORT"
  },
  "requestedLocations": {
    "principalOfficeCountry": "US",
    "principalPhysicalLocationCountry": "US"
  },
  "requestTime": "2018-08-28T19:07:12.286Z",
  "requestedExpiration": "2018-09-02T19:07:11.877Z"
}

Configure access approvers in your organization

To approve access requests, you must have the Access Approval Approver (roles/accessapproval.approver) IAM role on the project, folder, or organization.

To grant the Access Approval Approver (roles/accessapproval.approver) IAM role to a principal, do the following:

  1. In the Cloud Console, go to the Identity and Access Management (IAM) page.

    Go to IAM

  2. Grant the Access Approval Approver (roles/accessapproval.approver) IAM role on the project, folder, or organization to the principal (either a Google Account or a Google group) who should perform approvals.

Approve Access Approval requests

After you have enrolled some users as approvers, those users receive all access requests. To approve an Access Approval request, use the following instructions.

Console

  1. Go to the Access Approval page.

    Go to Access Approval

    You can also click the link in the email sent to you with the approval request to be taken to this page.

  2. To approve a request, click Approve.

  3. In the dialog box that opens, select a date and time when you want the access to expire.

  4. Select Approve to approve access till the set expiration date and time.

    Select expiration date and time for Access Approval request

    After you approve the request, the request status changes to Approved. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame. If you don't approve the request, the Google employee's access is denied. Dismissing the request only removes it from your list of pending requests. If you don't dismiss an approval request, access continues to be denied.

cURL

  1. Take the approvalRequest name from the Pub/Sub message.
  2. Make an API call to approve or dismiss that approvalRequest.

     # HTTP POST request with empty body (an effect of using -d '')
     # service-account-credential.json is attained by going to the
     # IAM -> Service Accounts menu in the cloud console and creating
     # a service account.
     curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
       -d '' https://accessapproval.googleapis.com/v1/projects/[PROJECT_ID]/approvalRequests/[APPROVAL_REQUEST_ID]:approve
    
  3. After the request is approved the request status changes to Approved. Any Google employee with characteristics matching the approval (for example, same justification, same location, desk location) can make an access within the approved time frame.

  4. If the request is not approved or dismissed, the Google employee's access request is denied.

You can reply to a request with one of the following options:

Action Effect Google access state
:approve Approves the request. Denied before approval, approved after approval.
:dismiss Dismisses the request for approval. This mechanism is preferred over no action as it alerts the Google employee that the request was dismissed to prompt for follow-up. Denied before dismissal, denied after dismissal.
No action Google employee access is still denied. Google employee needs to open a new request to access the resource after the requestedExpiration time passes. Denied before no action, denied after expiration time.

List historical approval requests

Console

To list all historical approval requests, do the following:

  1. Go to the Access Approval page.

    Go to Access Approval

  2. Click History.

    A table appears that includes all requests that are approved, dismissed, or expired.

  3. To view details about a specific request, in the Details & logs column, click Details.

  4. To view audit logs and Access Transparency logs related to a specific request, in the Details panel, click Logs.

You can also see historical approvals using the Logs Explorer.

Go to Cloud Logging

If you have enabled Cloud Audit Logs on your project, you can filter by the Audited Resource accessapproval.googleapis.com .

cURL

curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
    https://accessapproval.googleapis.com/v1/projects/<var>PROJECT_ID</var>/approvalRequests?filter=ALL

By default, the API lists all unapproved plus approved, non-expired requests. There is a filter parameter to do things such as listing all dismissed requests. For more information, see Access Approval API.

You receive a list of historical access approvals together with status.

{
  "approvalRequests": [
    {
      "name": "projects/123456/approvalRequests/xyzabc123",
      "requestedResourceName": "projects/123456",
      "requestedReason": {
        "detail":  "Case number: bar123"
        "type":  "CUSTOMER_INITIATED_SUPPORT"
      },
      "requestedLocations": {
        "principalOfficeCountry": "US",
        "principalPhysicalLocationCountry": "US"
      },
      "requestTime": "2018-08-30T17:49:13.712Z",
      "requestedExpiration": "2018-09-04T17:49:13.540Z",
      "approve": {
        "approveTime": "2018-08-30T17:49:15.737Z",
        "expireTime": "2018-09-04T17:49:13.540Z"
      }
    }
  ]
}

What's next