Stay organized with collections
Save and categorize content based on your preferences.
Review and approve access requests using a custom signing key
This document shows how to set up Access Approval using the
Google Cloud console and a custom signing key to receive email notifications of
access requests on a project.
Access Approval ensures that a cryptographically-signed approval
is present for Google personnel to access your content stored on
Google Cloud.
Access Approval lets you bring your own cryptographic key to sign the
access request. You can create a key using Cloud Key Management Service or bring an
externally-managed key using Cloud External Key Manager.
In the dialog, select the enrollment mode for your policy
and click Enroll.
Access Approval primary enrollment mode
You can configure Access Approval in one of three modes, and can change
the mode at any time in the Access Approval settings. The following
modes can be selected:
Transparency (Recommended): Use this mode to only log Google administrative
access into your workloads without interrupting Google's support for your
support cases or proactive maintenance on your workloads. See the
Access Transparency docs for more
information.
Streamlined support (Preview): Use this mode to automatically approve Customer Care
access to work on your support cases. Proactive maintenance and repair access will be requested for approval with Access Approval. This feature is in the Preview launch stage.
Access Approval: Use this mode to enable full Access Approval functionality for all accesses.
Access Transparency logs are generated automatically for all Access Approval policies.
Configure settings
On the Access Approval page in the Google Cloud console, click
settingsManage settings.
Select services
Access Approval settings, including the list of enabled products, are inherited from the parent resource. You can expand the scope of enrollment by enabling Access Approval for all or selected additional services supported services.
Set up email notifications
This section explains how you can receive access request notifications for this
project.
Grant the required IAM role
To view and approve access requests, you must have the Access Approval Approver
(roles/accessapproval.approver) IAM role.
To grant this IAM role to yourself, do the following:
For example, the email address is service-p123456789@gcp-sa-accessapproval.iam.gserviceaccount.com
for a service account in a project whose project number is 123456789.
To use your signing key, do the following:
On the Access Approval page in the Google Cloud console, select
Use a Cloud KMS signing key (advanced).
Add the crypto key version resource ID.
The crypto key version resource ID must have the following form:
To use a custom signing key, you must provide the
Cloud KMS CryptoKey Signer/Verifier
(roles/cloudkms.signerVerifier) IAM
role to the Access Approval service account for your project.
If the Access Approval service account doesn't have the permissions
to sign with the key you provided, you can grant the required permissions by
clicking Grant. After granting the permissions, click Save.
Review Access Approval requests
Now that you have enrolled in Access Approval and added yourself as an
approver for access requests, you can expect to receive email notifications for
access requests.
The following image shows a sample email notification that Access Approval
sends when Google personnel request access to Customer Data.
To review and approve an incoming access request, do the following:
Go to the Access Approval page in the Google Cloud console.
To be taken to this page, you can also click the link in the email
sent to you with the approval request.
Click Approve.
After you approve the request, Google personnel with
characteristics matching
the approval, such as, same justification, location, or desk location
can access the specified resource and its child resources within the approved
timeframe.
Clean up
To unenroll from Access Approval, do the following:
On the Access Approval page in the Google Cloud console,
click Manage settings.
Click Unenroll.
In the dialog that opens, click Unenroll.
To disable Access Transparency for your organization, contact Cloud Customer Care.
No additional steps are required to avoid incurring charges to your account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eAccess Approval allows you to ensure that Google personnel have a cryptographically-signed approval before accessing your content stored on Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eYou can enroll in Access Approval, configure settings for supported services, and set up email notifications to receive access request alerts.\u003c/p\u003e\n"],["\u003cp\u003eTo review and approve access requests, you must be granted the Access Approval Approver IAM role and add yourself as an approver within the Access Approval settings.\u003c/p\u003e\n"],["\u003cp\u003eAccess Approval utilizes a signing key, and you have the option to use a custom signing key managed through Cloud KMS or an externally-managed key via Cloud EKM.\u003c/p\u003e\n"],["\u003cp\u003eYou can unenroll from Access approval at any time, and to disable Access Transparency you must contact Cloud Customer Care.\u003c/p\u003e\n"]]],[],null,["# Quickstart: Review access requests using a custom signing key\n\nReview and approve access requests using a custom signing key\n=============================================================\n\nThis document shows how to set up Access Approval using the\nGoogle Cloud console and a custom signing key to receive email notifications of\naccess requests on a project.\n\nAccess Approval ensures that a cryptographically-signed approval\nis present for Google personnel to access your content stored on\nGoogle Cloud.\n\nAccess Approval lets you bring your own cryptographic key to sign the\naccess request. You can create a key using Cloud Key Management Service or bring an\nexternally-managed key using Cloud External Key Manager.\n\nBefore you begin\n----------------\n\n- Enable [Access Transparency](/assured-workloads/access-transparency/docs/overview) for your organization. For more information, see [Enabling Access Transparency](/assured-workloads/access-transparency/docs/enable).\n- Ensure that you have the [Access Approval Config Editor](/iam/docs/understanding-roles#access-approval-roles) (`roles/accessapproval.configEditor`) IAM role.\n\nEnroll in Access Approval\n-------------------------\n\nTo enroll in Access Approval, do the following:\n\n1. In the Google Cloud console, select the project for which you want to\n enable Access Approval.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n2. Go to the **Access Approval** page.\n\n [Go to Access Approval](https://console.cloud.google.com/security/access-approval)\n3. To enroll in Access Approval, click **Enroll**.\n\n4. In the dialog, select the [enrollment mode](#enrollment-mode) for your policy\n and click **Enroll**.\n\n### Access Approval primary enrollment mode\n\nYou can configure Access Approval in one of three modes, and can change\nthe mode at any time in the Access Approval settings. The following\nmodes can be selected:\n\n1. Transparency (Recommended): Use this mode to only log Google administrative access into your workloads without interrupting Google's support for your support cases or proactive maintenance on your workloads. See the [Access Transparency docs](/assured-workloads/access-transparency/docs) for more information.\n2. Streamlined support (Preview): Use this mode to automatically approve Customer Care access to work on your support cases. Proactive maintenance and repair access will be requested for approval with Access Approval. This feature is in the Preview launch stage.\n3. Access Approval: Use this mode to enable full Access Approval functionality for all accesses.\n\nAccess Transparency logs are generated automatically for all Access Approval policies.\n\nConfigure settings\n------------------\n\nOn the **Access Approval** page in the Google Cloud console, click\nsettings**Manage settings**.\n\n\n### Select services\n\nAccess Approval settings, including the list of enabled products, are inherited from the parent resource. You can expand the scope of enrollment by enabling Access Approval for all or selected additional services [supported services](/assured-workloads/access-approval/docs/supported-services).\n\n### Set up email notifications\n\nThis section explains how you can receive access request notifications for this\nproject.\n\n#### Grant the required IAM role\n\n\nTo view and approve access requests, you must have the Access Approval Approver\n(`roles/accessapproval.approver`) IAM role.\n\n\nTo grant this IAM role to yourself, do the following:\n\n1. Go to the **IAM** page in the Google Cloud console.\n\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam?supportedpurview=project)\n2. In the **View by principals** tab, click person_add**Grant access**.\n3. In the **New principals** field in the right pane, enter your email address.\n4. Click the **Select a role** field, and select the **Access Approval Approver** role from the menu.\n5. Click **Save**.\n\n#### Add yourself as an approver for Access Approval requests\n\nTo add yourself as an approver so you can review and approve access requests, do\nthe following:\n\n1. Go to the **Access Approval** page in the Google Cloud console.\n\n [Go to Access Approval](https://console.cloud.google.com/security/access-approval)\n2. Click settings**Manage settings**.\n\n3. Under **Set up approval notifications** , add your email address in the\n **User or group email** field.\n\n4. To save the notification settings, click **Save**.\n\n### Use a custom signing key\n\nAccess Approval uses a signing key to verify the integrity of the\nAccess Approval request.\n\nIf you have Cloud EKM enabled, you can\nchoose an externally-managed signing key. For information about using external\nkeys, see [Cloud EKM overview](/kms/docs/ekm#overview).\n\nYou can also choose to create a Cloud KMS signing key with\nan algorithm of your choice. For more information, see\n[Creating asymmetric keys](/kms/docs/creating-asymmetric-keys).\n\nTo use a custom signing key, follow the instructions in this section.\n\n**Get the email address of the service account**\n\nThe email address for the service account is of the following form: \n\n service-\u003cvar translate=\"no\"\u003ep\u003c/var\u003e\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e@gcp-sa-accessapproval.iam.gserviceaccount.com\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with the project number.\n\nFor example, the email address is `service-p123456789@gcp-sa-accessapproval.iam.gserviceaccount.com`\nfor a service account in a project whose project number is `123456789`.\n\nTo use your signing key, do the following:\n\n1. On the **Access Approval** page in the Google Cloud console, select\n **Use a Cloud KMS signing key (advanced)**.\n\n2. Add the crypto key version resource ID.\n\n The crypto key version resource ID must have the following form: \n\n ```\n projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING_ID/cryptoKeys/CRYPTOKEY_ID/cryptoKeyVersions/KEY_ID\n ```\n\n For more information, see [Getting a Cloud KMS resource ID](/kms/docs/getting-resource-ids).\n3. To save your settings, click **Save**.\n\n To use a custom signing key, you must provide the\n [Cloud KMS CryptoKey Signer/Verifier](/iam/docs/understanding-roles#cloud-kms-roles)\n (`roles/cloudkms.signerVerifier`) IAM\n role to the Access Approval service account for your project.\n\n If the Access Approval service account doesn't have the permissions\n to sign with the key you provided, you can grant the required permissions by\n clicking **Grant** . After granting the permissions, click **Save**.\n\n\nReview Access Approval requests\n-------------------------------\n\nNow that you have enrolled in Access Approval and added yourself as an\napprover for access requests, you can expect to receive email notifications for\naccess requests.\n\nThe following image shows a sample email notification that Access Approval\nsends when Google personnel request access to Customer Data.\n\n\nTo review and approve an incoming access request, do the following:\n\n1. Go to the **Access Approval** page in the Google Cloud console.\n\n [Go to Access Approval](https://console.cloud.google.com/security/access-approval)\n\n To be taken to this page, you can also click the link in the email\n sent to you with the approval request.\n2. Click **Approve**.\n\nAfter you approve the request, Google personnel with\n[characteristics](/assured-workloads/access-approval/docs/approval-request-details) matching\nthe approval, such as, same justification, location, or desk location\ncan access the specified resource and its child resources within the approved\ntimeframe.\n\nClean up\n--------\n\n1. To unenroll from Access Approval, do the following:\n 1. On the **Access Approval** page in the Google Cloud console, click **Manage settings**.\n 2. Click **Unenroll**.\n 3. In the dialog that opens, click **Unenroll**.\n2. To disable Access Transparency for your organization, contact [Cloud Customer Care](/support).\n\nNo additional steps are required to avoid incurring charges to your account.\n\nWhat's next\n-----------\n\n- Learn about the [anatomy of an access request](/assured-workloads/access-approval/docs/approval-request-details).\n- Learn how to [approve Access Approval requests](/assured-workloads/access-approval/docs/approve-requests).\n- Learn how to [view historical Access Approval\n requests](/assured-workloads/access-approval/docs/view-historical-requests)."]]
