Stay organized with collections
Save and categorize content based on your preferences.
Justification reason codes
This page provides the list of justifications that can be used to request access
to your encryption keys.
Reason
Description
CUSTOMER_INITIATED_ACCESS
Customer uses their account to perform any access to their own data which
their IAM policy authorizes. These accesses include operations
that are executed indirectly on behalf of or in response to customer
resource activity, such as logging.
MODIFIED_CUSTOMER_INITIATED_ACCESS
Customer uses their account to perform any access to their own data which
their IAM policy authorizes. These accesses include operations
that are executed indirectly on behalf of or in response to customer
resource activity, such as logging.
At the same time, one of the following is true:
A Google administrator has reset the root-access account associated
with the user's organization within the past 7 days.
A Google-initiated emergency access operation has interacted with a
resource in the same project or folder as the currently accessed
resource within the past 7 days.
GOOGLE_INITIATED_SYSTEM_OPERATION
Google systems access customer data to help optimize the structure of the data
or quality for future uses by the customer. These accesses can be for
indexing, structuring, precomputation, hashing, sharding and
caching customer data. This also includes backing up data for disaster recovery or data
integrity reasons, and detecting errors that the
backup data could remedy. Certain operations such as key health checks are
initiated by Google systems in direct response to customer resource activity
but can generate a GOOGLE_INITIATED_SYSTEM_OPERATION justification due to
the architecture of the systems involved. Key accesses with this
justification are always in service of a customer workload.
Where the customer has delegated a managed control plane
operation to Google, such as the creation of a managed instance group,
all managed operations will show as system operations. Services such as
the managed instance group manager that trigger downstream decryption
operations do not have access to clear-text customer data.
MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION
Google systems access customer data to help optimize the structure of the data
or quality for future uses by the customer. These accesses can be for
indexing, structuring, precomputation, hashing, sharding and
caching customer data. This also includes backing up data for disaster recovery or data
integrity reasons, and detecting errors that the
backup data could remedy. Certain operations such as key health checks are
initiated by Google systems in direct response to customer resource activity
but can generate a GOOGLE_INITIATED_SYSTEM_OPERATION justification due to
the architecture of the systems involved. Key accesses with this
justification are always in service of a customer workload.
At the same time, one of the following is true:
A Google administrator has reset the root-access account associated
with the user's organization within the past 7 days.
A Google-initiated emergency access operation has interacted with a
resource in the same project or folder as the currently accessed
resource within the past 7 days.
Where the customer has delegated a managed control plane
operation to Google, such as the creation of a managed instance group,
all managed operations show as system operations. Services such as
the managed instance group manager that trigger downstream decryption
operations do not have access to clear-text customer data.
REASON_NOT_EXPECTED
No reason is expected for this key request due to there being at least on
service involved in servicing the request which has one of the following
characteristics:
The service has never integrated with Key Access Justifications.
The service has partially integrated with Key Access Justifications but this
integration is still in Preview. Portions of such services might not be
completely integrated with Key Access Justifications, which can lead to
justifications not being producible.
While a REASON_NOT_EXPECTED justification
carries the aforementioned meaning, services which have not yet reached the
GA status for their Key Access Justifications integration might also generate other
justifications including REASON_UNSPECIFIED. Google makes no
guarantees regarding the justifications generated while using services
which are not Key Access Justifications GA.
CUSTOMER_INITIATED_SUPPORT
Customer-initiated support, for example, "Case Number: ####".
GOOGLE_INITIATED_SERVICE
Refers to Google-initiated access for system management and
troubleshooting. Google personnel can make this type of access for the
following reasons:
To perform technical debugging needed for a complex support request
or investigation.
To remediate technical issues, such as storage failure or data
corruption.
THIRD_PARTY_DATA_REQUEST
Google-initiated access in response to a legal request or legal process,
including when responding to legal process from the customer that requires
Google to access the customer's own data.
GOOGLE_INITIATED_REVIEW
Google-initiated access for security, fraud, abuse, or compliance
purposes, including:
Ensuring the safety and security of customer accounts and data.
Confirming whether data is affected by an event that might impact
account security (for example, malware infections).
Confirming whether customer is using Google services in compliance
with Google Terms of Service.
Investigating complaints by other users and customers, or other
signals of abusive activity.
Checking that Google services are being used consistently with
relevant compliance regimes (for example, anti-money laundering
regulations).
GOOGLE_RESPONSE_TO_PRODUCTION_ALERT
Refers to Google-initiated access to maintain system reliability. Google
personnel can make this type of access for the following reasons:
To investigate and confirm that a suspected service outage doesn't
affect the customer.
To ensure backup and recovery from outages and system failures.
REASON_UNSPECIFIED
You have Key Access Justifications enabled but no justification is available for
this request. The reason could be a transient error, a bug, or some
other circumstance.
Due to the specific justification display implementations of
various logging systems provided by Google Cloud and certain EKM providers,
the REASON_UNSPECIFIED justification might be represented as an
empty string. If a justification field is present in a request log but no
justification is displayed, this should be interpreted as having received
a REASON_UNSPECIFIED justification.
CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING
One of the following operations is being executed while simultaneously
encountering an internal technical issue which prevented a more precise
justification code from being generated:
Your account has been used to perform any access to your own data
which your IAM policy authorizes.
An automated Google system operates on encrypted customer data which
your IAM policy authorizes.
Customer-initiated Google support access.
Google-initiated support access to protect system reliability.
When such an internal technical issue is encountered, Google will
immediately work to remediate the situation and return the involved systems
to a state where other more precise justification codes will be generated.
To reduce operational risk of an outage resulting from the denial of a
request with CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING justification,
Google recommends that you allow CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING
in your Key Access Justifications policies.
A CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING justification might
also be generated as a result of a workload using a service that doesn't
support Key Access Justifications. This justification will be generated in such cases
as long as the service doesn't support Key Access Justifications.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page outlines the various justification reason codes used when requesting access to encryption keys.\u003c/p\u003e\n"],["\u003cp\u003eJustifications can be categorized as customer-initiated, Google-initiated, or related to system operations, support, legal requests, security reviews, or responses to production alerts.\u003c/p\u003e\n"],["\u003cp\u003eModified access types (e.g., \u003ccode\u003eMODIFIED_CUSTOMER_INITIATED_ACCESS\u003c/code\u003e, \u003ccode\u003eMODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION\u003c/code\u003e) indicate access occurred under the condition that a Google administrator has reset the root-access account or a Google-initiated emergency access occurred in the same project or folder within the past 7 days.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eREASON_NOT_EXPECTED\u003c/code\u003e and \u003ccode\u003eREASON_UNSPECIFIED\u003c/code\u003e codes mean there may be an issue that prevents the generation of a specific justification code, or the service does not support Key Access Justifications.\u003c/p\u003e\n"],["\u003cp\u003eA \u003ccode\u003eCUSTOMER_AUTHORIZED_WORKFLOW_SERVICING\u003c/code\u003e code represents an internal technical issue, or a workload that doesn't support Key Access Justifications, that prevents a more precise justification code from being generated.\u003c/p\u003e\n"]]],[],null,["# Justification reason codes\n==========================\n\nThis page provides the list of justifications that can be used to request access\nto your encryption keys.\n\nWhat's next\n-----------\n\n- Learn how to [view and act on justifications](/assured-workloads/key-access-justifications/docs/view-justifications)."]]
