Stay organized with collections
Save and categorize content based on your preferences.
Validate an approved request signature
Each approved Access Approval request is signed with an asymmetric
cryptographic key to validate the approval. Approved requests can be signed with
a Google-owned and managed key or a customer-provided
Cloud KMS key.
When you validate a signature, you can be sure that the bytestring of the
serialized approved request is valid. To finish validating the contents of the
approval, you must deserialize the message and compare the deserialized
message with the contents of the approved request.
Before you begin
To ensure that the Access Approval service account for your
resource has the necessary
permissions to verify approved request signatures,
ask your administrator to grant the Access Approval service account for your
resource the
Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)
IAM role on the key, key ring, or key project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
Your administrator might also be able to give the Access Approval service account for your
resource
the required permissions through custom
roles or other predefined
roles.
Validate a request signed using a Google-owned and managed key
In the Google Cloud console, go to the Access Approval page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eAccess Approval requests are signed with either a Google-managed key or a customer-provided Cloud KMS key to validate the approval.\u003c/p\u003e\n"],["\u003cp\u003eValidating a signature confirms the integrity of the bytestring of the serialized approved request, which must also be deserialized and compared with the approved request's contents.\u003c/p\u003e\n"],["\u003cp\u003eThe Access Approval service account must be granted the \u003ccode\u003eroles/cloudkms.signerVerifier\u003c/code\u003e IAM role on the key, key ring, or key project to ensure it has the necessary permissions to verify request signatures.\u003c/p\u003e\n"],["\u003cp\u003eValidation involves copying the public key, signature, and serialized approval request from the Google Cloud console to Cloud Shell, decoding them, and using \u003ccode\u003eopenssl\u003c/code\u003e to verify the signature.\u003c/p\u003e\n"],["\u003cp\u003eThe result \u003ccode\u003eVerified OK\u003c/code\u003e from \u003ccode\u003eopenssl\u003c/code\u003e confirms that the serialized request is valid, regardless of if it was signed with a Google or customer-managed key.\u003c/p\u003e\n"]]],[],null,["# Validate an approved request signature\n======================================\n\nEach approved Access Approval request is signed with an asymmetric\ncryptographic key to validate the approval. Approved requests can be signed with\na Google-owned and managed key or a customer-provided\nCloud KMS key.\n\nWhen you validate a signature, you can be sure that the bytestring of the\nserialized approved request is valid. To finish validating the contents of the\napproval, you must deserialize the message and compare the deserialized\nmessage with the contents of the approved request.\n\nBefore you begin\n----------------\n\n\nTo ensure that the Access Approval service account for your\nresource has the necessary\npermissions to verify approved request signatures,\n\nask your administrator to grant the Access Approval service account for your\nresource the\n\n\n[Cloud KMS CryptoKey Signer/Verifier](/iam/docs/roles-permissions/cloudkms#cloudkms.signerVerifier) (`roles/cloudkms.signerVerifier`)\nIAM role on the key, key ring, or key project.\n\n\n| **Important:** You must grant this role to the Access Approval service account for your resource, *not* to your user account. Failure to grant the role to the correct principal might result in permission errors.\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\u003cbr /\u003e\n\n\nYour administrator might also be able to give the Access Approval service account for your\nresource\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nValidate a request signed using a Google-owned and managed key\n--------------------------------------------------------------\n\n1. In the Google Cloud console, go to the **Access Approval** page.\n\n [Go to Access\n Approval](https://console.cloud.google.com/security/access-approval)\n2. Locate and select the approved Access Approval request that you\n want to validate. The **Request details** page opens.\n\n3. Under **Google-managed public key** , click\n content_copy **Copy**.\n\n4. Open the Cloud Shell, and then save the public key as a new file named\n `public_key`:\n\n echo \u003cvar translate=\"no\"\u003eGOOGLE_MANAGED_PUBLIC_KEY\u003c/var\u003e \u003e ./public_key\n\n Replace \u003cvar translate=\"no\"\u003eGOOGLE_MANAGED_PUBLIC_KEY\u003c/var\u003e with the contents of\n the **Google-managed public key** field.\n5. In the Google Cloud console, on the **Request details** page, under\n **Signature** , click\n content_copy **Copy**.\n\n6. Open the Cloud Shell, and then save the signature as a new file named\n `signature.txt`:\n\n echo \u003cvar translate=\"no\"\u003eSIGNATURE\u003c/var\u003e \u003e ./signature.txt\n\n Replace \u003cvar translate=\"no\"\u003eSIGNATURE\u003c/var\u003e with the contents of the **Signature**\n field.\n7. Decode the signature using the `base64` command and save the result as\n `decoded_signature`:\n\n base64 ./signature.txt -d \u003e ./decoded_signature\n\n8. In the Google Cloud console, on the **Request details** page, under\n **Serialized Approval Request** , click\n content_copy **Copy**.\n\n9. Open the Cloud Shell, and then save the serialized approval request as a\n new file named `serialized_approval_request.txt`:\n\n echo \u003cvar translate=\"no\"\u003eSERIALIZED_APPROVAL_REQUEST\u003c/var\u003e \u003e ./serialized_approval_request.txt\n\n Replace \u003cvar translate=\"no\"\u003eSERIALIZED_APPROVAL_REQUEST\u003c/var\u003e with the contents of\n the **Serialized Approval Request** field.\n10. Decode the serialized approval request and save the result as\n `decoded_serialized_approval_request`:\n\n base64 ./serialized_approval_request.txt -d \u003e ./decoded_serialized_approval_request\n\n11. Use `openssl` to verify the signature:\n\n openssl dgst \\\n -sha256 \\\n -verify ./public_key \\\n -signature ./decoded_signature \\\n ./decoded_serialized_approval_request\n\n If the signature is valid, the output should be `Verified OK`. This\n confirms that the serialized approval request is valid.\n\nValidate a request signed using a customer-provided key\n-------------------------------------------------------\n\n1. In the Google Cloud console, go to the **Access Approval** page.\n\n [Go to Access\n Approval](https://console.cloud.google.com/security/access-approval)\n2. Locate and select the approved Access Approval request that you\n want to validate. The **Request details** page opens.\n\n3. In the Google Cloud console, on the **Request details** page, under\n **Signature** , click\n content_copy **Copy**.\n\n4. Open the Cloud Shell, and then save the signature as a new file named\n `signature.txt`:\n\n echo \u003cvar translate=\"no\"\u003eSIGNATURE\u003c/var\u003e \u003e ./signature.txt\n\n Replace \u003cvar translate=\"no\"\u003eSIGNATURE\u003c/var\u003e with the contents of the **Signature**\n field.\n5. Decode the signature and save the result as `decoded_signature`:\n\n base64 ./signature.txt -d \u003e ./decoded_signature\n\n6. In the Google Cloud console, on the **Request details** page, under\n **Serialized Approval Request** , click\n content_copy **Copy**.\n\n7. Open the Cloud Shell, and then save the serialized approval request as a\n new file named `serialized_approval_request.txt`:\n\n echo \u003cvar translate=\"no\"\u003eSERIALIZED_APPROVAL_REQUEST\u003c/var\u003e \u003e ./serialized_approval_request.txt\n\n Replace \u003cvar translate=\"no\"\u003eSERIALIZED_APPROVAL_REQUEST\u003c/var\u003e with the contents of\n the **Serialized Approval Request** field.\n8. Decode the serialized approval request and save the result as\n `decoded_serialized_approval_request`:\n\n base64 ./serialized_approval_request.txt -d \u003e ./decoded_serialized_approval_request\n\n9. Under **Customer-managed key**, make note of the resource identifier of\n the key.\n\n10. [Retrieve the public key](/kms/docs/retrieve-public-key) for the key that\n you identified in the previous step. Save the downloaded public key in the\n PEM format as `./public_key`.\n\n11. Use `openssl` to verify the signature:\n\n openssl dgst \\\n -sha256 \\\n -verify ./public_key \\\n -signature ./decoded_signature \\\n ./decoded_serialized_approval_request\n\n If the signature is valid, the output should be `Verified OK`. This\n confirms that the serialized approval request is valid."]]
