Overview of Access Approval

Access Approval ensures that Cloud Customer Care and engineering require your explicit approval whenever they need to access your customer content. The approval is cryptographically verified to ensure the integrity of the access approval.

If you want the ability to directly manage access to your content by Google personnel, we recommend using Access Approval.


Access Approval helps in implementing the security principle of least privilege, which states that nobody should have more permissions and access than they need. Even after you provide access, Google personnel can only view the content that is absolutely essential to fulfill an obligation to provide a contracted service. For example, front-line customer support personnel can only access information about customer environments that is absolutely essential for debugging customer support issues.

For more information about why Google employees might need to access customer content and about Google Cloud's privileged access principles, see Privileged access at Google Cloud.

To learn about the core principles behind Google Cloud's administrative access controls, see Overview of administrative access controls.

Access Approval provides an additional layer of control on top of the transparency that Access Transparency logs provide. Access Transparency provides logs that capture the actions Google personnel take when accessing your content. Access Approval also provides a historical view of all requests that were approved, dismissed, or expired.

How Access Approval works

Access Approval works by sending you an email or Pub/Sub message with an access request that you can choose to approve.

Using the information in the message, you can use the Google Cloud console or the Access Approval API to approve or decline the access. Access Approval uses a cryptographic key to sign the access request. This signature is used to verify the integrity of the access approval. You can either use a Google-managed signing key or bring your own signing key.

Using a Google-managed signing key is the default option. If you want to use your own signing key, you can create one using Cloud KMS or bring an externally-managed key using Cloud EKM. For more information about getting started with using a custom signing key, see Set up Access Approval using a custom signing key.

Google services that support Access Approval

Access Approval lets you select the Google Cloud services you want to enroll in Access Approval. Access Approval requests your consent only for access requests to content stored in the services you select.

You have the following options for enrolling services in Access Approval:

  • Automatically enable Access Approval for all the supported services, regardless of the level of support (preview or GA). Selecting this option also automatically enrolls all the services that Access Approval supports in future. This is the default option.
  • Only enable Access Approval for services with GA-level support. Selecting this option also automatically enrolls all the services that Access Approval supports in future with GA-level support.
  • Choose the specific services you want to enroll in Access Approval.

For the complete list of services that Access Approval supports, see Supported services.

Access Approval exclusions

The following actions by Google don't trigger an Access Approval request:

Large-scale service interruptions that require emergency response. Access Transparency logs will be generated when access to customer data occurs.

  • Any other exception documented in the Access Transparency exclusions. These exclusions from Access Transparency also apply to Access Approval requests.

Requirements for using Access Approval

You can enable Access Approval for a Google Cloud project, folder, or organization. Before enabling Access Approval, you must enable Access Transparency at the same level in the resource hierarchy or higher.

After enabling Access Transparency, you can use the Google Cloud console to enable Access Approval. To learn how to set up Access Approval, see the quickstarts.

Requirements for a custom signing key

Using the default Google-managed signing key doesn't require any additional configuration. To use your own signing key, you can either create an asymmetric signing key using Cloud Key Management Service or use Cloud External Key Manager to host an externally-managed signing key. For the limitations related to asymmetric signing keys supported by Cloud EKM, see Restrictions for asymmetric signing keys.

If you want to use an externally-managed signing key, we recommend that you enable Cloud EKM. For more information about using Cloud EKM for managing keys that aren't stored in Google Cloud, see Cloud EKM overview.

What's next