Stay organized with collections
Save and categorize content based on your preferences.
View and act on justifications
This page describes how you can view and act on justifications that Key Access Justifications
sends to request access to your encryption keys. Whenever your information is
encrypted or decrypted, Key Access Justifications sends you a justification describing the
reason for the access. The way you view and act on justifications depends on the
type of keys you're using with Key Access Justifications:
For externally managed keys, the Cloud EKM partner may provide the
ability to set a policy that automatically approves or denies access requests
based on the content of the justifications. For more information about setting
a policy, see the relevant documentation for your chosen key manager. The
following partners support Key Access Justifications:
Fortanix
Thales
For all keys configured with Key Access Justifications policies—regardless of key
type—you can view access requests in the Cloud KMS
audit logs.
Denying access can hinder the ability of Google personnel to help you with a
contracted service. For example:
Denying access for requests with reasons of CUSTOMER_INITIATED_ACCESS or
GOOGLE_INITIATED_SYSTEM_OPERATION results in your service becoming
unavailable.
Denying access for requests with the reason of CUSTOMER_INITATED_SUPPORT
limits the ability of Google personnel to respond to support tickets on the
rare occasion that your support ticket requires access to sensitive customer
information. Support tickets typically don't require this access and our
frontline support personnel don't have this access.
Denying access for request with the reason of GOOGLE_INITIATED_SERVICE
reduces service availability and reliability and inhibits Google's ability to
recover from outages.
View justifications for EKM keys
You can use the Google Cloud console to view the justification Key Access Justifications
sends to your external key manager when your data is accessed. To access the
justification, you first need to enable Cloud Audit Logs with Cloud KMS
on the project containing the key used for encryption.
After you have completed the setup, the Cloud Audit Logs also includes the
justification used in the external request for cryptographic operations. The
justification is included in the Data Access logs on the resource key, in
the metadata entries for protoPayload. For more information on these fields,
see Understanding audit logs.
For more information about using Cloud Audit Logs with Cloud KMS, see
Cloud KMS audit logging information.
Note that unlike the justification shared with the external key manager, the
justification in the Cloud Audit Logs cannot be used for approving or denying the
associated cryptographic operation. Google Cloud logs the justification only
after the operation is completed. Therefore, the logs in Google Cloud must be
used primarily for record keeping.
View justifications for Cloud HSM and software keys
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eKey Access Justifications sends justifications for encryption key access requests, viewable in Cloud KMS audit logs for all key types.\u003c/p\u003e\n"],["\u003cp\u003eExternally managed keys allow setting policies with Cloud EKM partners to automatically approve or deny access based on justification content.\u003c/p\u003e\n"],["\u003cp\u003eDenying access requests can lead to service unavailability or limit Google's support capabilities, depending on the justification reason.\u003c/p\u003e\n"],["\u003cp\u003eJustifications in Cloud Audit Logs are for record-keeping only and cannot be used to approve or deny cryptographic operations, unlike the justifications sent to external key managers.\u003c/p\u003e\n"],["\u003cp\u003eCloud HSM and software key audit logs include details like the justification code, whether the Key Access Justifications policy was enforced, and whether the request was sent to the external key manager.\u003c/p\u003e\n"]]],[],null,["# View and act on justifications\n==============================\n\nThis page describes how you can view and act on justifications that Key Access Justifications\nsends to request access to your encryption keys. Whenever your information is\nencrypted or decrypted, Key Access Justifications sends you a justification describing the\nreason for the access. The way you view and act on justifications depends on the\ntype of keys you're using with Key Access Justifications:\n\n- For externally managed keys, the Cloud EKM partner may provide the ability to set a policy that automatically approves or denies access requests based on the content of the justifications. For more information about setting a policy, see the relevant documentation for your chosen key manager. The following partners support Key Access Justifications:\n - Fortanix\n - Thales\n- For all keys configured with Key Access Justifications policies---regardless of key type---you [can view access requests](#hsm) in the Cloud KMS audit logs.\n\nDenying access can hinder the ability of Google personnel to help you with a\ncontracted service. For example:\n\n- Denying access for requests with reasons of `CUSTOMER_INITIATED_ACCESS` or `GOOGLE_INITIATED_SYSTEM_OPERATION` results in your service becoming unavailable.\n- Denying access for requests with the reason of `CUSTOMER_INITATED_SUPPORT` limits the ability of Google personnel to respond to support tickets on the rare occasion that your support ticket requires access to sensitive customer information. Support tickets typically don't require this access and our frontline support personnel don't have this access.\n- Denying access for request with the reason of `GOOGLE_INITIATED_SERVICE` reduces service availability and reliability and inhibits Google's ability to recover from outages.\n\n| **Important:** Justification codes for Key Access Justifications are similar to [Access Transparency codes](/logging/docs/audit/reading-access-transparency-logs#justification-reason-codes), but they are not equivalent and shouldn't be directly compared.\n\nView justifications for EKM keys\n--------------------------------\n\nYou can use the Google Cloud console to view the justification Key Access Justifications\nsends to your external key manager when your data is accessed. To access the\njustification, you first need to enable Cloud Audit Logs with Cloud KMS\non the project containing the key used for encryption.\n\nAfter you have completed the setup, the Cloud Audit Logs also includes the\njustification used in the external request for cryptographic operations. The\njustification is included in the Data Access logs on the resource key, in\nthe `metadata` entries for `protoPayload`. For more information on these fields,\nsee [Understanding audit logs](/logging/docs/audit/understanding-audit-logs).\nFor more information about using Cloud Audit Logs with Cloud KMS, see\n[Cloud KMS audit logging information](/kms/docs/audit-logging).\n\nNote that unlike the justification shared with the external key manager, the\njustification in the Cloud Audit Logs cannot be used for approving or denying the\nassociated cryptographic operation. Google Cloud logs the justification only\nafter the operation is completed. Therefore, the logs in Google Cloud must be\nused primarily for record keeping.\n\nView justifications for Cloud HSM and software keys\n---------------------------------------------------\n\nWhen Cloud HSM and software keys\n[configured with Key Access Justifications](/assured-workloads/key-access-justifications/docs/configure-kaj)\nhave been used to perform encryption or decryption operations, you can view the\n[Cloud KMS audit logs](/kms/docs/audit-logging#viewing_logs) to\nview the following information:\n\n- `key_access_justification`: The [justification code](/assured-workloads/key-access-justifications/docs/justification-codes) associated with the request.\n- `key_access_justification_policy_metadata`: The Key Access Justifications policy metadata for the key containing the following information:\n - `customer_configured_policy_enforced`: Indicates whether or not the Key Access Justifications policy set on the key was enforced for the operation.\n - `customer_configured_policy`: Indicates the justification codes that allow access to the key.\n - `justification_propagated_to_ekm`: Indicates whether the access request was propagated to the external key manager (if configured).\n\nThe following example demonstrates a Cloud KMS audit log entry for an\nCloud HSM key configured with Key Access Justifications:\n\n\u003cbr /\u003e\n\n```javascript\n {\n @type: \"type.googleapis.com/google.cloud.audit.AuditLog\"\n (...)\n metadata: {\n entries: {\n key_access_justification: {\n @type: \"type.googleapis.com/google.cloud.ekms.v0.AccessReasonContext\"\n reason: \"CUSTOMER_INITIATED_ACCESS\"\n }\n key_access_justification_policy_metadata: {\n customer_configured_policy_enforced: \"true\"\n customer_configured_policy: {\n allowed_access_reasons: [\"CUSTOMER_INITIATED_ACCESS\", \"GOOGLE_INITIATED_SYSTEM_OPERATION\"]\n }\n justification_propagated_to_ekm: \"false\"\n }\n }\n }\n methodName: \"useVersionToDecrypt\"\n serviceName: \"cloudkms.googleapis.com\"\n (...)\n }\n \n```\n\n\u003cbr /\u003e"]]
