Configuring temporary access

This topic describes how to set temporary (expiring) access to Google Cloud resources using conditional role bindings in your Identity and Access Management (IAM) policies By using the date/time attributes, you can enforce time-based controls when accessing a given resource. For example, you can grant temporary access to a project that starts and stops at a specified time or on a scheduled and recurring basis.

Before you begin

  • Read Conditions Overview to understand the basics of IAM conditional role bindings.
  • Review the date/time attributes that can be used in a condition expression.
  • Date/time attributes are currently supported by all Google Cloud services.

Granting temporary access

A conditional role binding can be used to grant time-bounded access to a resource, ensuring that a user can no longer access the resource after the specified expiry date and time.

Consider the following scenario: the company ExampleCo's information security policy emphasizes that no employee should have indefinite access to resources in production projects. Previously, the admins have been manually setting and deleting IAM role bindings to meet the engineers' emergency needs. To reduce administrative overhead, ExampleCo can instead configure a conditional role binding with a date/time condition to set an end date for the binding.

To grant expirable access to a project resource:

Console

  1. In the Cloud Console, go to the IAM page.

    Go to the IAM page

  2. From the list of members, locate the desired member and click the button.

  3. From the Edit permissions panel, locate the desired role to configure a condition for. Then under Condition, click Add condition.

  4. In the Edit condition panel, enter a title and optional description for the condition.

  5. You can add a condition expression using either the Condition Builder or the Condition Editor. The condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The condition editor provides a text-based interface to manually enter an expression using CEL syntax.

    Condition Builder:

    1. From the Condition type drop-down, select Expiring Access.
    2. From the Operator drop-down, select by.
    3. From the Time drop-down, click the button to select from a date and time range.
    4. Click Save to apply the condition.
    5. Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your IAM policy.

    Condition Editor:

    1. Click the Condition Editor tab and enter the following expression (replacing the timestamp with your own):

      request.time > timestamp("2020-07-01T00:00:00.000Z")
    2. After entering your expression, you can optionally choose to validate the CEL syntax by clicking Run Linter above the text box on the top-right.

    3. Click Save to apply the condition.

    4. Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your IAM policy.

gcloud command

IAM policies are set using the read-modify-write pattern.

Execute the gcloud projects get-iam-policy command to get the current IAM policy for the project. In the following example, the JSON version of the policy is downloaded to a path on disk.

Command:

gcloud projects get-iam-policy project-id --format=json > filepath

The JSON format of the IAM policy is downloaded:

{
  "bindings": [
    {
      "members": [
        "user:project-owner@example.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "user:travis@example.com"
      ],
      "role": "roles/iam.securityReviewer"
    }
  ],
  "etag": "BwWKmjvelug=",
  "version": 1
}

To configure the policy with expirable access, add the following highlighted condition expression (replacing the timestamp with your own). If you are not using version 263.0.0 or newer of the gcloud tool, ensure that you've updated the version value to 3. If you are using a newer version of the gcloud tool, the maximum policy value will automatically be set for you:

{
  "bindings": [
    {
      "members": [
        "user:project-owner@example.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "user:travis@example.com"
      ],
      "role": "roles/iam.securityReviewer",
      "condition": {
        "title": "Expires_July_1_2020",
        "description": "Expires on July 1, 2020",
        "expression":
          "request.time < timestamp('2020-07-01T00:00:00.000Z')"
      }
    }
  ],
  "etag": "BwWKmjvelug=",
  "version": 3
}

Next, set the new policy by executing the gcloud projects set-iam-policy command:

gcloud projects set-iam-policy project-id filepath

The new policy is applied, and travis@example.com's role grant will expire at the specified time.

REST API

Use the read-modify-write pattern to allow access until a specific time.

First, read the IAM policy for the project:

The Resource Manager API's projects.getIamPolicy method gets a project's IAM policy.

Before using any of the request data below, make the following replacements:

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/v1/projects/project-id:getIamPolicy

Request JSON body:

{
  "options": {
    "requestedPolicyVersion": policy-version
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "version": 1,
  "etag": "BwWKmjvelug=",
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:project-owner@example.com"
      ]
    },
    {
      "role": "roles/iam.securityReviewer",
      "members": [
        "user:travis@example.com"
      ]
    }
  ]
}

Next, modify the policy so that it allows access until a specific time. Make sure to change the version field to the value 3:

{
  "version": 3,
  "etag": "BwWKmjvelug=",
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:project-owner@example.com"
      ]
    },
    {
      "role": "roles/iam.securityReviewer",
      "members": [
        "user:travis@example.com"
      ],
      "condition": {
        "title": "Expires_July_1_2020",
        "description": "Expires on July 1, 2020",
        "expression":
          "request.time < timestamp('2020-07-01T00:00:00.000Z')"
      }
    }
  ]
}

Finally, write the updated policy:

The Resource Manager API's projects.setIamPolicy method sets the policy in the request as the project's new IAM policy.

Before using any of the request data below, make the following replacements:

  • project-id: Your Google Cloud project ID.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/v1/projects/project-id:setIamPolicy

Request JSON body:

{
  "policy": {
    "version": 3,
    "etag": "BwWKmjvelug=",
    "bindings": [
      {
        "role": "roles/owner",
        "members": [
          "user:project-owner@example.com"
        ]
      },
      {
        "role": "roles/iam.securityReviewer",
        "members": [
          "user:travis@example.com"
        ],
        "condition": {
          "title": "Expires_July_1_2020",
          "description": "Expires on July 1, 2020",
          "expression":
            "request.time < timestamp('2020-07-01T00:00:00.000Z')"
        }
      }
    ]
  }
}

To send your request, expand one of these options:

The response contains the updated policy.


Managing access based on days/hours of the week

A conditional role binding can be used to grant access to a resource only within certain days or hours of the week on a recurring basis.

Consider the following scenario: the company ExampleCo has a quality assurance project. The entire QA team is required to have highly-privileged roles to complete their work. ExampleCo has to abide by labor laws in their location, which limit work hours to Monday through Friday from 9 AM to 5 PM. ExampleCo can use date/time conditions to ensure that their employees are only able to access Google Cloud during the work week and during scheduled work hours.

To grant access to a project resource for only certain days or hours of the week on a recurring basis:

Console

  1. In the Cloud Console, go to the IAM page.

    Go to the IAM page

  2. From the list of members, locate the desired member and click the button.

  3. From the Edit permissions panel, locate the desired role to configure a condition for. Then under Condition, click Add condition.

  4. In the Edit condition panel, enter a title and optional description for the condition.

  5. You can add a condition expression using either the Condition Builder or the Condition Editor. The condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The condition editor provides a text-based interface to manually enter an expression using CEL syntax.

    Condition Builder:

    1. Click Add.
    2. From the Condition type drop-down, select Time Schedule Day of Week.
    3. From the Operator drop-down, select After or On.
    4. From the Day of Week drop-down, select Monday.
    5. From the Choose a time zone drop-down, select your desired time zone from the list.
    6. Ensure that the And operator is selected on the left, and then click Add again.
    7. From the Condition type drop-down, select Time Schedule Day of Week.
    8. From the Operator drop-down, select Before or On.
    9. From the Day of Week drop-down, select Friday.
    10. From the Choose a time zone drop-down, select your desired time zone from the list.

    At this point, you've configured access only on Monday through Friday. Now, you will configure access from 9 AM (09:00) to 5 PM (17:00).

    1. Ensure that the And operator is selected on the left, and then click Add again.
    2. From the Condition type drop-down, select Time Schedule Hour of Day.

      1. From the Operator drop-down, select After or On.
      2. From the Hour of Day drop-down, select 9 (9 AM).
      3. From the Choose a time zone drop-down, select your desired time zone from the list.
      4. From the Condition type drop-down, select Time Schedule Hour of Day.
      5. From the Operator drop-down, select Before or On. Note that for this selection, "on" will logically evaluate to all times between 17:00 (5 PM) and 17:59 (5:59 PM). To set access to expire at 4:59 PM, ensure the hour is set to 16 instead of 17.
      6. From the Hour of Day drop-down, select 17 (5 PM).
      7. From the Choose a time zone drop-down, select your desired time zone from the list.
      8. Click Save to apply the condition.
      9. Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your IAM policy.

      You've now configured access from Monday to Friday, 9 AM to 5 PM.

      Condition Editor:

      1. Click the Condition Editor tab and enter the following expression (replacing the placeholder values with your own):

        request.time.getHours("Europe/Berlin") >= 9 &&
        request.time.getHours("Europe/Berlin") <= 17 &&
        request.time.getDayOfWeek("Europe/Berlin") >= 1 &&
        request.time.getDayOfWeek("Europe/Berlin") <= 5
        
      2. After entering your expression, you can optionally choose to validate the CEL syntax by clicking Run Linter above the text box on the top-right.

      3. Click Save to apply the condition.

      4. Once the Edit condition panel is closed, click Save again from the Edit permissions panel to update your IAM policy.

gcloud command

IAM policies are set using the read-modify-write pattern.

Execute the gcloud projects get-iam-policy command to get the current IAM policy for the project. In the following example, the JSON version of the policy is downloaded to a path on disk.

Command:

gcloud projects get-iam-policy project-id --format=json > filepath

The JSON format of the IAM policy is downloaded:

{
  "bindings": [
    {
      "members": [
        "user:project-owner@example.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "user:rita@example.com"
      ],
      "role": "roles/bigquery.dataViewer"
    }
  ],
  "etag": "BwWKmjvelug=",
  "version": 1
}

To configure the policy with scheduled access, add the following highlighted condition expression (replacing the timestamp with your own). If you are are not using version 263.0.0 or newer of the gcloud tool, ensure that you've updated the version value to 3. If you are using a newer version of the gcloud tool, the maximum policy value will automatically be set for you:

{
  "bindings": [
    {
      "members": [
        "user:project-owner@example.com"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "user:rita@example.com"
      ],
      "role": "roles/bigquery.dataViewer",
      "condition": {
        "title": "Business_hours",
        "description": "Business hours Monday-Friday",
        "expression": "request.time.getHours('Europe/Berlin') >= 9 && request.time.getHours('Europe/Berlin') <= 17 && request.time.getDayOfWeek('Europe/Berlin') >= 1 && request.time.getDayOfWeek('Europe/Berlin') <= 5"
      }
    }
  ],
  "etag": "BwWKmjvelug=",
  "version": 3
}

Next, set the new policy by executing the gcloud projects set-iam-policy command:

gcloud projects set-iam-policy project-id filepath

The new policy is applied, and rita@example.com's role grant will allow access between the specified days and times.

REST API

Use the read-modify-write pattern to allow scheduled access.

First, read the IAM policy for the project:

The Resource Manager API's projects.getIamPolicy method gets a project's IAM policy.

Before using any of the request data below, make the following replacements:

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/v1/projects/project-id:getIamPolicy

Request JSON body:

{
  "options": {
    "requestedPolicyVersion": policy-version
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "version": 1,
  "etag": "BwWKmjvelug=",
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:project-owner@example.com"
      ]
    },
    {
      "role": "roles/bigquery.dataViewer",
      "members": [
        "user:rita@example.com"
      ]
    }
  ]
}

Next, modify the policy to allow scheduled access.

Add the following highlighted condition expression (replacing the timestamp with your own). Ensure that you've updated the version value to 3:

{
  "etag": "BwWKmjvelug=",
  "version": 3,
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:project-owner@example.com"
      ]
    },
    {
      "role": "roles/bigquery.dataViewer",
      "members": [
        "user:rita@example.com"
      ],
      "condition": {
        "title": "Business_hours",
        "description": "Business hours Monday-Friday",
        "expression":
          "request.time.getHours('Europe/Berlin') >= 9 &&
          request.time.getHours('Europe/Berlin') <= 17 &&
          request.time.getDayOfWeek('Europe/Berlin') >= 1 &&
          request.time.getDayOfWeek('Europe/Berlin') <= 5"
      }
    }
  ]
}

The Resource Manager API's projects.setIamPolicy method sets the policy in the request as the project's new IAM policy.

Before using any of the request data below, make the following replacements:

  • project-id: Your Google Cloud project ID.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/v1/projects/project-id:setIamPolicy

Request JSON body:

{
  "policy": {
    "etag": "BwWKmjvelug=",
    "version": 3,
    "bindings": [
      {
        "role": "roles/owner",
        "members": [
          "user:project-owner@example.com"
        ]
      },
      {
        "role": "roles/bigquery.dataViewer",
        "members": [
          "user:rita@example.com"
        ],
        "condition": {
          "title": "Business_hours",
          "description": "Business hours Monday-Friday",
          "expression": "request.time.getHours('Europe/Berlin') >= 9 && request.time.getHours('Europe/Berlin') <= 17 && request.time.getDayOfWeek('Europe/Berlin') >= 1 && request.time.getDayOfWeek('Europe/Berlin') <= 5"
        }
      }
    ]
  }
}

To send your request, expand one of these options:

The response contains the updated policy.


Next steps