Stay organized with collections
Save and categorize content based on your preferences.
This page explains how to set up Context-Aware Access. You can use Context-Aware Access to do
the following:
Define access policies for Google Cloud resources based on attributes like
user identity, network, location, and device state.
Control session length and reauthentication methods for ongoing access.
Context-Aware Access is enforced any time a user accesses a client application
that requires a Google Cloud scope, including the Google Cloud console on the
web and the Google Cloud CLI.
Grant the required IAM permissions
Grant the IAM permissions at the organization level that are
required to create Access Context Manager access bindings.
Ensure that you are authenticated with sufficient privileges to add
IAM permissions at the organization level. At a minimum,
you need the
Organization Admin
role.
After you've confirmed you have the right permissions, sign in with:
gcloudauthlogin
Assign the GcpAccessAdmin role by running the following command:
ORG_ID is the ID for your organization. If you
don't already have your organization ID, you can use the following
command to find it:
gcloudorganizationslist
EMAIL is the email address of the person or
group you want to grant the role.
Create a group of users
Create a group of users
that should be bound by context-aware restrictions. Any users in this
group who are also members of your organization must satisfy any access levels
that you created to access the Google Cloud console and the
Google Cloud APIs.
Deploy Endpoint Verification
Deploying Endpoint Verification
is an optional step that lets you integrate device
attributes into your access control policies. You can use this capability to
enhance the security of your organization by granting or denying access to
resources based on device attributes such as OS version and configuration.
Endpoint Verification runs as a Chrome extension on macOS, Windows, and Linux and
lets you create access control policies based on device characteristics like
model, and OS version, and security characteristics like the presence of disk
encryption, a firewall, a screen lock, and OS patches.
Additionally, you can require
certificate-based access,
which ensures the presence of a verified device certificate to add an extra
layer of security and ensure that only authorized devices can access
resources, even if user credentials are compromised.
An administrator can deploy the extension
to an organization's company-owned devices using the Google Cloud console,
or members of the organization can
install it themselves.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Set up context-aware access\n\nThis page explains how to set up context-aware access. You can use context-aware\naccess to do the following:\n\n- Define access policies for Google Cloud resources based on attributes like user identity, network, location, and device state.\n- Control session length and reauthentication methods for ongoing access.\n\n\n | **Preview\n | --- Session controls feature only**\n |\n |\n | This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n | of the [Service Specific Terms](/terms/service-terms#1).\n |\n | Pre-GA features are available \"as is\" and might have limited support.\n |\n | For more information, see the\n | [launch stage descriptions](/products#product-launch-stages).\n\n \u003cbr /\u003e\n\nContext-aware access is enforced any time a user accesses a client application\nthat requires a Google Cloud scope, including the Google Cloud console on the\nweb and the Google Cloud CLI.\n\nGrant the required IAM permissions\n----------------------------------\n\nGrant the IAM permissions at the organization level that are\nrequired to create Access Context Manager access bindings. \n\n### Console\n\n1. Go to the **IAM** page in the Google Cloud console.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. Click **Grant access** and configure the following:\n\n - **New principals**: Specify the user or group you want to grant the permissions.\n - **Select a role** : Select **Access Context Manager \\\u003e Cloud Access\n Binding Admin**.\n3. Click **Save**.\n\n| **Note:** For read-only access to the bindings, you can assign the **Cloud Access Binding Reader** role.\n\n### gcloud\n\n1. Ensure that you are authenticated with sufficient privileges to add\n IAM permissions at the organization level. At a minimum,\n you need the\n [Organization Admin](/resource-manager/docs/creating-managing-organization#setting-up)\n role.\n\n After you've confirmed you have the right permissions, sign in with: \n\n gcloud auth login\n\n2. Assign the `GcpAccessAdmin` role by running the following command:\n\n gcloud organizations add-iam-policy-binding \u003cvar translate=\"no\"\u003eORG_ID\u003c/var\u003e \\\n --member=user:\u003cvar translate=\"no\"\u003eEMAIL\u003c/var\u003e \\\n --role=roles/accesscontextmanager.gcpAccessAdmin\n\n - \u003cvar translate=\"no\"\u003eORG_ID\u003c/var\u003e is the ID for your organization. If you\n don't already have your organization ID, you can use the following\n command to find it:\n\n gcloud organizations list\n\n - \u003cvar translate=\"no\"\u003eEMAIL\u003c/var\u003e is the email address of the person or\n group you want to grant the role.\n\n | **Note:** For read-only access to the bindings, you can assign the `accesscontextmanager.gcpAccessReader` role.\n\nCreate a group of users\n-----------------------\n\n[Create a group of users](https://support.google.com/cloudidentity/answer/33343)\nthat should be bound by context-aware restrictions. Any users in this\ngroup who are also members of your organization must satisfy any access levels\nthat you created to access the Google Cloud console and the\nGoogle Cloud APIs.\n| **Note:** We recommend excluding at least one Organization Admin or Organization Owner from this group to reduce the risk of an accidental lockout.\n\nDeploy Endpoint Verification\n----------------------------\n\n[Deploying Endpoint Verification](/endpoint-verification/docs/deploying-with-admin-console)\nis an optional step that lets you integrate device\nattributes into your access control policies. You can use this capability to\nenhance the security of your organization by granting or denying access to\nresources based on device attributes such as OS version and configuration.\n\nEndpoint Verification runs as a Chrome extension on macOS, Windows, and Linux and\nlets you create access control policies based on device characteristics like\nmodel, and OS version, and security characteristics like the presence of disk\nencryption, a firewall, a screen lock, and OS patches.\n\nAdditionally, you can require\n[certificate-based access](/chrome-enterprise-premium/docs/securing-resources-with-certificate-based-access),\nwhich ensures the presence of a verified device certificate to add an extra\nlayer of security and ensure that only authorized devices can access\nresources, even if user credentials are compromised.\n\nAn administrator can [deploy the extension](/endpoint-verification/docs/deploying-with-admin-console)\nto an organization's company-owned devices using the Google Cloud console,\nor members of the organization can\n[install it themselves](/endpoint-verification/docs/self-install-extension)."]]
