Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Meninjau dan menyetujui permintaan akses menggunakan kunci penandatanganan kustom
Dokumen ini menunjukkan cara menyiapkan Persetujuan Akses menggunakan
konsolGoogle Cloud dan kunci penandatanganan kustom untuk menerima notifikasi email tentang
permintaan akses pada sebuah project.
Persetujuan Akses memastikan bahwa persetujuan yang ditandatangani secara kriptografis
ada agar personel Google dapat mengakses konten Anda yang disimpan di
Google Cloud.
Persetujuan Akses memungkinkan Anda membawa kunci kriptografi Anda sendiri untuk menandatangani permintaan akses. Anda dapat membuat kunci menggunakan Cloud Key Management Service atau menggunakan kunci yang dikelola secara eksternal menggunakan Cloud External Key Manager.
Pada dialog, pilih mode pendaftaran untuk kebijakan Anda, lalu klik Daftarkan.
Mode pendaftaran utama Access Approval
Anda dapat mengonfigurasi Persetujuan Akses dalam salah satu dari tiga mode, dan dapat mengubah mode kapan saja di setelan Persetujuan Akses. Mode berikut dapat dipilih:
Transparansi (Direkomendasikan): Gunakan mode ini untuk mencatat akses administratif Google ke workload Anda saja tanpa mengganggu dukungan Google untuk kasus dukungan atau pemeliharaan proaktif pada workload Anda. Lihat dokumen Transparansi Akses untuk informasi selengkapnya.
Dukungan yang disederhanakan (Pratinjau): Gunakan mode ini untuk menyetujui akses Layanan Pelanggan secara otomatis untuk menangani kasus dukungan Anda. Akses pemeliharaan dan perbaikan proaktif akan diminta untuk disetujui dengan Persetujuan Akses. Fitur ini berada dalam tahap peluncuran Pratinjau.
Persetujuan Akses: Gunakan mode ini untuk mengaktifkan fungsi Persetujuan Akses penuh untuk semua akses.
Log Transparansi Akses dibuat secara otomatis untuk semua kebijakan Persetujuan Akses.
Mengonfigurasi setelan
Di halaman Persetujuan Akses di konsol Google Cloud , klik
settingsKelola setelan.
Pilih layanan
Setelan Access Approval, termasuk daftar produk yang diaktifkan, diwarisi dari resource induk. Anda dapat memperluas cakupan pendaftaran dengan mengaktifkan Persetujuan Akses untuk semua atau layanan tambahan tertentu yang didukung.
Menyiapkan notifikasi email
Bagian ini menjelaskan cara Anda dapat menerima notifikasi permintaan akses untuk project ini.
Memberikan peran IAM yang diperlukan
Untuk melihat dan menyetujui permintaan akses, Anda harus memiliki peran IAM Access Approval Approver (roles/accessapproval.approver).
Untuk memberikan peran IAM ini kepada diri Anda sendiri, lakukan hal berikut:
Di bagian Siapkan notifikasi persetujuan, tambahkan alamat email Anda di kolom
Email pengguna atau grup.
Untuk menyimpan setelan notifikasi, klik Simpan.
Menggunakan kunci penandatanganan kustom
Persetujuan Akses menggunakan kunci penandatanganan untuk memverifikasi integritas permintaan Persetujuan Akses.
Jika Cloud EKM diaktifkan, Anda dapat memilih kunci penandatanganan yang dikelola secara eksternal. Untuk mengetahui informasi tentang penggunaan kunci
eksternal, lihat Ringkasan Cloud EKM.
Anda juga dapat memilih untuk membuat kunci penandatanganan Cloud KMS dengan algoritma pilihan Anda. Untuk mengetahui informasi selengkapnya, lihat
Membuat kunci asimetris.
Untuk menggunakan kunci penandatanganan kustom, ikuti petunjuk di bagian ini.
Dapatkan alamat email akun layanan
Alamat email untuk akun layanan memiliki format berikut:
service-pPROJECT_NUMBER@gcp-sa-accessapproval.
Ganti PROJECT_NUMBER dengan nomor project.
Misalnya, alamat emailnya adalah service-p123456789@gcp-sa-accessapproval.
untuk akun layanan dalam project yang nomor projectnya adalah 123456789.
Untuk menggunakan kunci penandatanganan Anda, lakukan hal berikut:
Di halaman Persetujuan Akses di konsol Google Cloud , pilih
Gunakan kunci penandatanganan Cloud KMS (lanjutan).
Tambahkan ID resource versi kunci kriptografis.
ID resource versi kunci kriptografis harus memiliki format berikut:
Untuk menggunakan kunci penandatanganan kustom, Anda harus memberikan peran IAM
Cloud KMS CryptoKey Signer/Verifier
(roles/cloudkms.signerVerifier) kepada akun layanan Persetujuan Akses untuk project Anda.
Jika akun layanan Persetujuan Akses tidak memiliki izin
untuk menandatangani dengan kunci yang Anda berikan, Anda dapat memberikan izin yang diperlukan dengan
mengklik Berikan. Setelah memberikan izin, klik Simpan.
Meninjau permintaan Persetujuan Akses
Setelah mendaftar ke Persetujuan Akses dan menambahkan diri Anda sebagai pemberi persetujuan untuk permintaan akses, Anda akan menerima notifikasi email untuk permintaan akses.
Gambar berikut menunjukkan contoh notifikasi email yang dikirim Persetujuan Akses saat personel Google meminta akses ke Data Pelanggan.
Untuk meninjau dan menyetujui permintaan akses masuk, lakukan hal berikut:
Buka halaman Persetujuan Akses di konsol Google Cloud .
Untuk membuka halaman ini, Anda juga dapat mengklik link di email yang dikirimkan kepada Anda berisi permintaan persetujuan.
Klik Approve.
Setelah Anda menyetujui permintaan, personel Google dengan
karakteristik yang cocok dengan
persetujuan, seperti justifikasi, lokasi, atau lokasi meja yang sama
dapat mengakses resource yang ditentukan dan resource turunannya dalam jangka waktu
yang disetujui.
Pembersihan
Untuk membatalkan pendaftaran dari Access Approval, lakukan hal berikut:
Di halaman Persetujuan Akses di konsol Google Cloud , klik Kelola setelan.
Klik Batalkan pendaftaran.
Pada dialog yang terbuka, klik Batalkan pendaftaran.
Untuk menonaktifkan Transparansi Akses bagi organisasi Anda, hubungi Cloud Customer Care.
Tidak ada langkah tambahan yang diperlukan untuk menghindari pengenaan biaya ke akun Anda.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[[["\u003cp\u003eAccess Approval allows you to ensure that Google personnel have a cryptographically-signed approval before accessing your content stored on Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eYou can enroll in Access Approval, configure settings for supported services, and set up email notifications to receive access request alerts.\u003c/p\u003e\n"],["\u003cp\u003eTo review and approve access requests, you must be granted the Access Approval Approver IAM role and add yourself as an approver within the Access Approval settings.\u003c/p\u003e\n"],["\u003cp\u003eAccess Approval utilizes a signing key, and you have the option to use a custom signing key managed through Cloud KMS or an externally-managed key via Cloud EKM.\u003c/p\u003e\n"],["\u003cp\u003eYou can unenroll from Access approval at any time, and to disable Access Transparency you must contact Cloud Customer Care.\u003c/p\u003e\n"]]],[],null,["# Quickstart: Review access requests using a custom signing key\n\nReview and approve access requests using a custom signing key\n=============================================================\n\nThis document shows how to set up Access Approval using the\nGoogle Cloud console and a custom signing key to receive email notifications of\naccess requests on a project.\n\nAccess Approval ensures that a cryptographically-signed approval\nis present for Google personnel to access your content stored on\nGoogle Cloud.\n\nAccess Approval lets you bring your own cryptographic key to sign the\naccess request. You can create a key using Cloud Key Management Service or bring an\nexternally-managed key using Cloud External Key Manager.\n\nBefore you begin\n----------------\n\n- Enable [Access Transparency](/assured-workloads/access-transparency/docs/overview) for your organization. For more information, see [Enabling Access Transparency](/assured-workloads/access-transparency/docs/enable).\n- Ensure that you have the [Access Approval Config Editor](/iam/docs/understanding-roles#access-approval-roles) (`roles/accessapproval.configEditor`) IAM role.\n\nEnroll in Access Approval\n-------------------------\n\nTo enroll in Access Approval, do the following:\n\n1. In the Google Cloud console, select the project for which you want to\n enable Access Approval.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n2. Go to the **Access Approval** page.\n\n [Go to Access Approval](https://console.cloud.google.com/security/access-approval)\n3. To enroll in Access Approval, click **Enroll**.\n\n4. In the dialog, select the [enrollment mode](#enrollment-mode) for your policy\n and click **Enroll**.\n\n### Access Approval primary enrollment mode\n\nYou can configure Access Approval in one of three modes, and can change\nthe mode at any time in the Access Approval settings. The following\nmodes can be selected:\n\n1. Transparency (Recommended): Use this mode to only log Google administrative access into your workloads without interrupting Google's support for your support cases or proactive maintenance on your workloads. See the [Access Transparency docs](/assured-workloads/access-transparency/docs) for more information.\n2. Streamlined support (Preview): Use this mode to automatically approve Customer Care access to work on your support cases. Proactive maintenance and repair access will be requested for approval with Access Approval. This feature is in the Preview launch stage.\n3. Access Approval: Use this mode to enable full Access Approval functionality for all accesses.\n\nAccess Transparency logs are generated automatically for all Access Approval policies.\n\nConfigure settings\n------------------\n\nOn the **Access Approval** page in the Google Cloud console, click\nsettings**Manage settings**.\n\n\n### Select services\n\nAccess Approval settings, including the list of enabled products, are inherited from the parent resource. You can expand the scope of enrollment by enabling Access Approval for all or selected additional services [supported services](/assured-workloads/access-approval/docs/supported-services).\n\n### Set up email notifications\n\nThis section explains how you can receive access request notifications for this\nproject.\n\n#### Grant the required IAM role\n\n\nTo view and approve access requests, you must have the Access Approval Approver\n(`roles/accessapproval.approver`) IAM role.\n\n\nTo grant this IAM role to yourself, do the following:\n\n1. Go to the **IAM** page in the Google Cloud console.\n\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam?supportedpurview=project)\n2. In the **View by principals** tab, click person_add**Grant access**.\n3. In the **New principals** field in the right pane, enter your email address.\n4. Click the **Select a role** field, and select the **Access Approval Approver** role from the menu.\n5. Click **Save**.\n\n#### Add yourself as an approver for Access Approval requests\n\nTo add yourself as an approver so you can review and approve access requests, do\nthe following:\n\n1. Go to the **Access Approval** page in the Google Cloud console.\n\n [Go to Access Approval](https://console.cloud.google.com/security/access-approval)\n2. Click settings**Manage settings**.\n\n3. Under **Set up approval notifications** , add your email address in the\n **User or group email** field.\n\n4. To save the notification settings, click **Save**.\n\n### Use a custom signing key\n\nAccess Approval uses a signing key to verify the integrity of the\nAccess Approval request.\n\nIf you have Cloud EKM enabled, you can\nchoose an externally-managed signing key. For information about using external\nkeys, see [Cloud EKM overview](/kms/docs/ekm#overview).\n\nYou can also choose to create a Cloud KMS signing key with\nan algorithm of your choice. For more information, see\n[Creating asymmetric keys](/kms/docs/creating-asymmetric-keys).\n\nTo use a custom signing key, follow the instructions in this section.\n\n**Get the email address of the service account**\n\nThe email address for the service account is of the following form: \n\n service-\u003cvar translate=\"no\"\u003ep\u003c/var\u003e\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e@gcp-sa-accessapproval.iam.gserviceaccount.com\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with the project number.\n\nFor example, the email address is `service-p123456789@gcp-sa-accessapproval.iam.gserviceaccount.com`\nfor a service account in a project whose project number is `123456789`.\n\nTo use your signing key, do the following:\n\n1. On the **Access Approval** page in the Google Cloud console, select\n **Use a Cloud KMS signing key (advanced)**.\n\n2. Add the crypto key version resource ID.\n\n The crypto key version resource ID must have the following form: \n\n ```\n projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING_ID/cryptoKeys/CRYPTOKEY_ID/cryptoKeyVersions/KEY_ID\n ```\n\n For more information, see [Getting a Cloud KMS resource ID](/kms/docs/getting-resource-ids).\n3. To save your settings, click **Save**.\n\n To use a custom signing key, you must provide the\n [Cloud KMS CryptoKey Signer/Verifier](/iam/docs/understanding-roles#cloud-kms-roles)\n (`roles/cloudkms.signerVerifier`) IAM\n role to the Access Approval service account for your project.\n\n If the Access Approval service account doesn't have the permissions\n to sign with the key you provided, you can grant the required permissions by\n clicking **Grant** . After granting the permissions, click **Save**.\n\n\nReview Access Approval requests\n-------------------------------\n\nNow that you have enrolled in Access Approval and added yourself as an\napprover for access requests, you can expect to receive email notifications for\naccess requests.\n\nThe following image shows a sample email notification that Access Approval\nsends when Google personnel request access to Customer Data.\n\n\nTo review and approve an incoming access request, do the following:\n\n1. Go to the **Access Approval** page in the Google Cloud console.\n\n [Go to Access Approval](https://console.cloud.google.com/security/access-approval)\n\n To be taken to this page, you can also click the link in the email\n sent to you with the approval request.\n2. Click **Approve**.\n\nAfter you approve the request, Google personnel with\n[characteristics](/assured-workloads/access-approval/docs/approval-request-details) matching\nthe approval, such as, same justification, location, or desk location\ncan access the specified resource and its child resources within the approved\ntimeframe.\n\nClean up\n--------\n\n1. To unenroll from Access Approval, do the following:\n 1. On the **Access Approval** page in the Google Cloud console, click **Manage settings**.\n 2. Click **Unenroll**.\n 3. In the dialog that opens, click **Unenroll**.\n2. To disable Access Transparency for your organization, contact [Cloud Customer Care](/support).\n\nNo additional steps are required to avoid incurring charges to your account.\n\nWhat's next\n-----------\n\n- Learn about the [anatomy of an access request](/assured-workloads/access-approval/docs/approval-request-details).\n- Learn how to [approve Access Approval requests](/assured-workloads/access-approval/docs/approve-requests).\n- Learn how to [view historical Access Approval\n requests](/assured-workloads/access-approval/docs/view-historical-requests)."]]
