Set up context-aware access

This page explains how to set up context-aware access. You can use context-aware access to do the following:

Define access policies for Google Cloud resources based on attributes like user identity, network, location, and device state.
Control session length and reauthentication methods for ongoing access.

Preview — Session controls feature only

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions.

Context-aware access is enforced any time a user accesses a client application that requires a Google Cloud scope, including the Google Cloud console on the web and the Google Cloud CLI.

Grant the required IAM permissions

Grant the IAM permissions at the organization level that are required to create Access Context Manager access bindings.

Console

Go to the IAM page in the Google Cloud console.

Go to IAM
Click Grant access and configure the following:
- New principals: Specify the user or group you want to grant the permissions.
- Select a role: Select Access Context Manager > Cloud Access Binding Admin.
Click Save.

gcloud

Ensure that you are authenticated with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin role.

After you've confirmed you have the right permissions, sign in with:
```
gcloud auth login
```
Assign the GcpAccessAdmin role by running the following command:
```
gcloud organizations add-iam-policy-binding ORG_ID \
  --member=user:EMAIL \
  --role=roles/accesscontextmanager.gcpAccessAdmin
```
- ORG_ID is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:
```
 gcloud organizations list
```
- EMAIL is the email address of the person or group you want to grant the role.
Note: For read-only access to the bindings, you can assign the accesscontextmanager.gcpAccessReader role.

Create a group of users

Create a group of users that should be bound by context-aware restrictions. Any users in this group who are also members of your organization must satisfy any access levels that you created to access the Google Cloud console and the Google Cloud APIs.

Deploy Endpoint Verification

Deploying Endpoint Verification is an optional step that lets you integrate device attributes into your access control policies. You can use this capability to enhance the security of your organization by granting or denying access to resources based on device attributes such as OS version and configuration.

Endpoint Verification runs as a Chrome extension on macOS, Windows, and Linux and lets you create access control policies based on device characteristics like model, and OS version, and security characteristics like the presence of disk encryption, a firewall, a screen lock, and OS patches.

Additionally, you can require certificate-based access, which ensures the presence of a verified device certificate to add an extra layer of security and ensure that only authorized devices can access resources, even if user credentials are compromised.

An administrator can deploy the extension to an organization's company-owned devices using the Google Cloud console, or members of the organization can install it themselves.