Overview of Access Approval

Access Approval ensures that Cloud Customer Care and engineering require your explicit approval whenever they need to access your customer content. The approval is cryptographically verified to ensure the integrity of the access approval.

Introduction

Google Cloud offers industry-leading controls to prevent unauthorized access to your customer content by Customer Care and engineering teams.

Some customers require the ability to directly manage access to their customer content by Google personnel, and to grant explicit approval every time their customer content is accessed. Access Approval solves this problem for you.

Access Approval helps in implementing the security principle of least privilege, which states that nobody should have more permissions and access than they need. Even after you provide access, Google personnel can only view the content that is absolutely essential to fulfill an obligation to provide a contracted service. For example, front-line customer support personnel can only access information about customer environments that is absolutely essential for debugging customer support issues.

For more information about why Google employees might need to access customer content and about Google's privileged access principles, see Privileged access at Google.

Access Approval provides an additional layer of control on top of the transparency that Access Transparency logs provide. Access Transparency provides logs that capture the actions Google personnel take when accessing your content. Access Approval also provides a historical view of all requests that were approved, dismissed, or expired.

How Access Approval works

Access Approval works by sending you an email or Pub/Sub message with an access request that you can choose to approve.

Using the information in the message, you can use the Google Cloud Console or the Access Approval API to approve or decline the access. Access Approval uses a cryptographic key to sign the access request. This signature is used to verify the integrity of the access approval. You can either use a Google-managed signing key or bring your own signing key.

Using a Google-managed signing key is the default option. If you want to use your own signing key, you can create one using Cloud KMS or bring an externally-managed key using Cloud EKM. For more information about getting started with using a custom signing key, see Set up Access Approval using a custom signing key.

Google services that support Access Approval

Access Approval lets you select the Google Cloud services you want to enroll in Access Approval. Access Approval requests your consent only for access requests to content stored in the services you select.

You have the following options for enrolling services in Access Approval:

  • Automatically enable Access Approval for all the supported services, regardless of the level of support (preview or GA). Selecting this option also automatically enrolls all the services that Access Approval supports in future. This is the default option.
  • Only enable Access Approval for services with GA-level support. Selecting this option also automatically enrolls all the services that Access Approval supports in future with GA-level support.
  • Choose the specific services you want to enroll in Access Approval.

For the complete list of services that Access Approval supports, see Supported services.

Access Approval exclusions

The following actions by Google don't trigger an Access Approval request:

  • System access to user content. These are programmatic, non-human accesses by authorized and reviewed Google processes. For example, a compression job that runs on the content or disk destruction during the content deletion process. These accesses are checked by our binary authorization functionality, which verifies that the job originates from code that was checked into production and reviewed by a second party.

  • Multi-customer outages with major widespread impact.

  • Any other exception documented in the Access Transparency exclusions. Anything that fails to generate an Access Transparency log also doesn't generate an Access Approval request.

Requirements for using Access Approval

Before you can use Access Approval, you must enable Access Transparency for your organization. Access Approval and Access Transparency both require your Google Cloud organization to have one of the following customer support levels:

Alternatively, you can choose one of the following Role-Based support packages:

  • Four or more Development roles.
  • Four or more Production roles.
  • A combination of four or more Development or Production roles.

If you aren't sure whether your Google Cloud organization has an appropriate Support package, check your Cloud Customer Care console:

Go to Customer Care

In the Support panel, you see either your Support status or the option to upgrade your package.

For more information about getting support with Customer Care, see Getting support with Cloud Customer Care.

If you have the required support customer level, you can enable Access Approval using the Google Cloud Console. To set up Access Approval, see the quickstarts.

Requirements for a custom signing key

Using the default Google-managed signing key doesn't require any additional configuration. To use your own signing key, you can either create an asymmetric signing key using Cloud Key Management Service or use Cloud External Key Manager to host an externally-managed signing key.

If you want to use an externally-managed signing key, we recommend that you enable Cloud EKM. For more information about using Cloud EKM for managing keys that aren't stored in Google Cloud, see Managing Cloud EKM keys.

What's next