Securing the Google Cloud Console and the Google Cloud APIs

Context-Aware Access for the Cloud Console and the Google Cloud APIs restricts access to the Cloud Console and the Google Cloud APIs with context-based rules. It builds on top of the existing Context-Aware Access suite (Endpoint Verification and Access Context Manager) and helps to ensure that individuals and groups within your organization satisfying the defined access requirements are able to access the Cloud Console and the Google Cloud APIs (including via the gcloud command-line tool).

This feature can be set up with the following steps:

  1. [Optional] Deploy Endpoint Verification to devices in your organization.
  2. Create an access level in Access Context Manager.
  3. Create a group of users to be bound by Context-Aware Access restrictions.
  4. Obtain the required Identity and Access Management permissions.
  5. Create an access binding that enforces context-aware rules for the Cloud Console and the Google Cloud APIs.

[Optional] Deploying Endpoint Verification

Endpoint Verification allows you to build an inventory of devices that are accessing your organization's data. As part of a Context-Aware Access solution, it also provides critical device trust and security-based access control, and can help enforce fine-grained access control on your Google Cloud resources.

Endpoint Verification runs as a Chrome extension on desktops and laptops for users of Mac, Windows, and Linux. An admin can deploy it to the organization's company-owned devices from the Google Workspace Admin Console or members of the organization can install it themselves.

Creating an access level

You'll need to define an access level that will be used when determining access to the Cloud Console and the Google Cloud APIs by creating a basic access level in Access Context Manager.

Creating a group of users

Create a group of users that should be bound by Context-Aware Access restrictions. Any users in this group who are also members of your organization must satisfy the access level created earlier to access the Cloud Console and the Google Cloud APIs.

Granting the required IAM permissions

Grant the IAM permissions at the organization level that will be required to create Access Context Manager access bindings.

Console

  1. Go to the IAM & Admin page in the Cloud Console.

    Go to IAM & Admin

  2. Click Add and configure the following:

    • New members: Specify the user or group you want to grant the permissions.
    • Select a role: Select Access Context Manager > Cloud Access Binding Admin.
  3. Click Save.

gcloud

  1. Ensure that you are authenticated with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin role.

    Once you've confirmed you have the right permissions, log in with:

    gcloud auth login
    
  2. Assign the GcpAccessAdmin role by running the following command:

    gcloud organizations add-iam-policy-binding ORG_ID \
      --member=user:EMAIL \
      --role=roles/accesscontextmanager.gcpAccessAdmin
    
    • ORG_ID is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:

       gcloud organizations list
      
    • EMAIL is the email address of the person or group you want to grant the role.

Creating an access binding

You can now create an access binding, which is a mapping between the group of users you created earlier and the Access Context Manager access level you defined for accessing the Cloud Console and Google Cloud APIs.

Console

  1. Go to the Context-Aware Access page in the Cloud Console.

    Go to Context-Aware Access

  2. Click Select to begin the process by choosing an organization.

  3. Choose an organization and click Select.

  4. Click Manage access to choose which user groups should have access.

  5. Click Add and configure the following:

    • Member groups: Specify the group you want to grant access.
    • Select access levels: Choose the access level that should be applied to the group.
  6. Click Save.

API

  1. Craft a request body:

    {
      "groupKey": "GROUP_ID",
      "accessLevels": [ "ACCESS_LEVEL" ]
    }
    
    • Replace GROUP_ID with the Group ID for the group of users you created earlier.

    • ACCESS_LEVEL is in the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. The values for POLICY_ID and ACCESS_LEVEL_NAME can be found in Access Context Manager from when you created the access level.

  2. Create the access binding by calling the gcpUserAccessBindings endpoint, replacing ORG_ID with the ID for the organization that you used when creating the GcpAccessAdmin role:

    POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings
    

    This returns a GcpUserAccessBinding resource as a response, which is formatted as:

    {
      // Unique name for the access binding, in the form
      // "organizations/ORG_ID/gcpUserAccessBindings/BINDING_ID"
      name: string,
    
      // Unique Group ID.
      group_key: string,
    
      // The access level that users of the group must satisfy, in the form
      // "accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME"
      access_levels: [ string ]
    }
    

Verifying success

Once the access bindings have been set up for a group of users, access to the Cloud Console and Google Cloud APIs should be controlled based on satisfaction of the bound access level.

You can verify that the binding was created successfully, edit it, or delete it.

Console

After you've created an access binding, all access bindings for the organization are displayed and can be edited or deleted as required.

API

  • To view all the access bindings in an organization:

    GET https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings
    

    This returns a list of GcpUserAccessBinding resources.

  • To modify an access binding, such as to change the access level, craft a request body that defines the change and then call the endpoint with the name of the resource:

    {
      "accessLevels": [ "ACCESS_LEVEL" ]
    }
    

    Format the value for ACCESS_LEVEL as when the binding was created for the resource.

    PATCH https://accesscontextmanager.googleapis.com/v1/GCP_USER_ACCESS_BINDING_NAME?update_mask=access_levels
    

    Replace GCP_USER_ACCESS_BINDING_NAME with the unique string returned for the name identifier when the access binding was created.

  • To delete a particular GcpUserAccessBinding resource, call the endpoint with the name of the resource:

    DELETE https://accesscontextmanager.googleapis.com/v1/GCP_USER_ACCESS_BINDING_NAME
    

    Replace GCP_USER_ACCESS_BINDING_NAME with the unique string returned for the name identifier when the access binding was created.

Frequently asked questions

  • How long does it take for a newly created access binding to take effect?

    It might take up to 24 hours.

  • What happens if I delete a group which has an access binding?

    The group and the binding are deleted and all users in the group are allowed access.

  • What happens if I delete the access level which is used in an access binding?

    The access level can never be satisfied and all users of the bound group are denied access.

  • What happens when a user is in multiple groups that have access bindings?

    The user only needs to satisfy the access level of one of those groups to gain access.

  • What about users who aren't part of my organization?

    Anyone not part of your organization, even if you've added them to the group of users that should be bound by Context-Aware Access restrictions, are not subject to the access binding.

What's next