Viewing active and historical Access Approval requests

Stay organized with collections Save and categorize content based on your preferences.

This document explains how you can view all active and historical access requests for a project.

Before you begin

  • Ensure that you have set up Access Approval by following the instructions in the Quickstart.

  • Ensure that you have the Access Approval Viewer (roles/accessapproval.viewer) Identity and Access Management (IAM) role. For more information about IAM roles for Access Approval, see Access Approval roles.

View active access requests

To view all the active Access Approval requests in your project, do the following:

  1. In the Google Cloud console, go to the Access Approval page .

    Go to Access Approval

  2. Click Active.

    A table appears that lists all the access requests that are currently active.

  3. Optional: If you want to revoke an access request, click Revoke. Then, click Revoke in the dialog box that appears.

    Note that revocation can take up to 30 seconds to propagate.

  4. Optional: To see the details of any access request, click Details in the Details & logs column.

  5. Optional: To view the Cloud Audit Logs or the Access Transparency logs, click Logs on the Request details page.

    Cloud Audit Logs provide information about the approval and dismissal actions taken by members within your organization. For more information, see Cloud Audit Logs overview.

    Access Transparency logs provide information about the actions taken by Google personnel when accessing customer content. For more information, see Access Transparency overview.

View historical access requests

Console

  1. Go to the Access Approval page in the Google Cloud console.

    Go to Access Approval

  2. Click History.

    A table appears that includes all approved, auto-approved, dismissed, and expired requests.

    List of approved, auto-approved, dismissed, and expired access requests.

  3. Optional: If you want to see the details of any access request, click Details in the Details & logs column.

  4. Optional: To view the Cloud Audit Logs or the Access Transparency logs, click Logs on the Request details page.

    Cloud Audit Logs provide information about the approval and dismissal actions taken by members within your organization. For more information, see Cloud Audit Logs overview.

    Access Transparency logs provide information about the actions taken by Google personnel when accessing customer content. For more information, see Access Transparency overview.

You can also see historical approvals using the Logs Explorer.

Go to Cloud Logging

If you enable Cloud Audit Logs in your Google Cloud project, you can filter by the Audited Resource accessapproval.googleapis.com.

cURL

curl -H "$(oauth2l header --json service-account-credentials.json cloud-platform)" \
          https://accessapproval.googleapis.com/v1/projects/PROJECT_ID/approvalRequests?filter=ALL

By default, the API lists all unapproved, approved, auto-approved, and non-expired requests. There is a filter parameter to do tasks such as listing all dismissed requests. For more information, see Access Approval API.

You receive a list of historical access approvals with their status.

{
  "approvalRequests": [
    {
      "name": "projects/123456/approvalRequests/xyzabc123",
      "requestedResourceName": "projects/123456",
      "requestedReason": {
        "detail":  "Case number: bar123"
        "type":  "CUSTOMER_INITIATED_SUPPORT"
      },
      "requestedLocations": {
        "principalOfficeCountry": "US",
        "principalPhysicalLocationCountry": "US"
      },
      "requestTime": "2018-08-30T17:49:13.712Z",
      "requestedExpiration": "2018-09-04T17:49:13.540Z",
      "approve": {
        "approveTime": "2018-08-30T17:49:15.737Z",
        "expireTime": "2018-09-04T17:49:13.540Z"
      }
    }
  ]
}

What's next