Review and approve access requests using the Google-managed signing key

This document shows you how to set up Access Approval using the Google Cloud console to receive email notifications of access requests for a project.

Access Approval ensures that a cryptographically-signed approval is present for Google personnel to access your content stored on Google Cloud.

Before you begin

Enroll in Access Approval

To enroll in Access Approval, do the following:

  1. In the Google Cloud console, select the project for which you want to enable Access Approval.

    Go to project selector

  2. Go to the Access Approval page.

    Go to Access Approval

  3. To enroll in Access Approval, click Enroll.

    Enroll in Access Approval.

  4. In the dialog box that opens, click Enroll.

    Access Approval disclaimer about increased support time.

Configure settings

On the Access Approval page in the Google Cloud console, click Manage settings.

Select the Manage settings button.

Select the services

By default, the services that require Access Approval are inherited from the project's parent resource. You can expand the scope of enrolment by selecting the option to automatically enable Access Approval for all the supported services.

Set up email and Pub/Sub notifications

This section explains how you can receive access request notifications for this project.

Grant yourself the required IAM role

To view and approve access requests, you must have the Access Approval Approver (roles/accessapproval.approver) IAM role.

To grant this IAM role to yourself, do the following:

  1. Go to the IAM page in the Google Cloud console.

    Go to IAM

  2. In the View by principals tab, click Grant access.
  3. In the New principals field in the right pane, enter your email address.
  4. Click the Select a role field, and select the Access Approval Approver role from the menu.
  5. Click Save.

Add yourself as an approver for Access Approval requests and configure notifications

To add yourself as an approver so you can review and approve access requests, do the following:

  1. Go to the Access Approval page in the Google Cloud console.

    Go to Access Approval

  2. Click Manage settings.

  3. To enable email notifications, add your email address in the User or group email field under Set up approval notifications.

  4. To enable Pub/Sub notifications, add your Pub/Sub topic in the Pub/Sub topic field under Set up approval notifications.

Select a Google-managed signing key

Access Approval uses a signing key to verify the integrity of the access approval.

Google-managed signing key is the default option. Using a Google-owned and managed key doesn't require any additional configuration.

Review Access Approval requests

Now that you have enrolled in Access Approval and added yourself as an approver for access requests, you can expect to receive email notifications for access requests.

The following image shows a sample email notification that Access Approval sends when Google personnel request access to customer content.

The email notification that gets sent when Google personnel request access to customer content.

To review and approve an incoming access request, do the following:

  1. Go to the Access Approval page in the Google Cloud console.

    Go to Access Approval

    To be taken to this page, you can also click the link in the email sent to you with the approval request.

  2. Click Approve.

After you approve the request, Google personnel with characteristics matching the approval, such as, same justification, location, or desk location can access the specified resource and its child resources within the approved time frame.

Clean up

  1. To unenroll from Access Approval, do the following:
    1. On the Access Approval page in the Google Cloud console, click Manage settings.
    2. Click Unenroll.
    3. In the dialog that opens, click Unenroll.
  2. To disable Access Transparency for your organization, contact Cloud Customer Care.

No additional steps are required to avoid incurring charges to your account.

What's next