Stay organized with collectionsSave and categorize content based on your preferences.
Approving Access Approval requests
This document explains how to approve an Access Approval request.
Before you begin
Make sure that you understand the concepts in theOverviewpage.
Grant the Access Approval Approver (roles/accessapproval.approver)
IAM role on the project, folder, or
organization to theprincipalwho you want to be able to perform approvals. You can grant the
Access Approval Approver IAM role to either anindividual user, aservice account, or aGoogle group.
If you are using a custom signing key, you
must also grant the Cloud KMS CryptoKey Signer/Verifier
(roles/cloudkms.signerVerifier) IAM role to the
Access Approval service account for your resource. If you are using a
Google-managed signing key, you don't need to provide any other permissions.
If you have opted to receive Access Approval requests through
email, you can also go to this page by clicking the link in the email
sent to you with the approval request.
To approve a request, clickApprove.
You also have the option of dismissing the request. Dismissing the
request is optional because access continues to be denied even if you
don't dismiss the request.
If you don't approve the Google employee's access request within 14
days or before the request expires, the request is automatically
dismissed.
In the dialog box that opens, select the date and time when you want
the access to expire.
SelectApproveto approve access till the set expiration date and
time.
Optional: To validate the signature on a request after approving it,
follow the steps given inValidate a request signature.
cURL
To approve an Access Approval request using cURL, do the following:
Take theapprovalRequestname from the Pub/Sub message.
Make an API call to approve or dismiss thatapprovalRequest.
You can reply to a request with one of the following options:
Action
Effect
Google access state
:approve
Approves the request.
Denied before approval, approved after approval.
:dismiss
Dismisses the request for approval. We recommend dismissing the access request instead of not taking any action. Dismissing the access request prompts the Google employee to follow up.
Denied before dismissal, denied after dismissal.
No action
Google employee access is still denied. Google employee needs to open a new request to access the resource after therequestedExpirationtime passes.
Denied before no action, denied after expiration time.
After you approve the request, the request status changes toApproved. Any
Google employee with characteristics matching the approval scope can make an
access within the approved time frame. These matching characteristics include
the same justification, location, or desk location.
Access Approval doesn't provide any IAM role or any
new permission to the Google employee who requested access.
If you don't approve the Google employee's access request, access is denied to
the Google employee. Dismissing the request only removes it from your list of
pending requests. If you fail to dismiss an approval request, access continues
to be denied.
After enabling,Access Transparencylogs all
accesses to Customer Data that you approve.
Access to Google personnel is allowed until the approval expires or the
justification for access is no longer valid. For example, access expires if the
support case for which Google personnel requested access is closed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eAccess Approval requests can be approved via the Google Cloud console or using cURL, allowing administrators to grant Google personnel temporary access.\u003c/p\u003e\n"],["\u003cp\u003eApprovers must be granted the Access Approval Approver IAM role, and optionally, the Cloud KMS CryptoKey Signer/Verifier role if using a custom signing key.\u003c/p\u003e\n"],["\u003cp\u003eWhen approving via the Google Cloud console, you must select an expiration date and time, whereas cURL allows for immediate approval or dismissal without time settings.\u003c/p\u003e\n"],["\u003cp\u003eIf a request is not approved or dismissed within 14 days, or by the requested expiration time, the request is automatically dismissed, and access remains denied.\u003c/p\u003e\n"],["\u003cp\u003eDismissing a request is recommended as it prompts the Google employee to follow up if needed, although not acting on a request or dismissing it will still deny them access.\u003c/p\u003e\n"]]],[],null,["# Approving Access Approval requests\n==================================\n\nThis document explains how to approve an Access Approval request.\n\nBefore you begin\n----------------\n\n- Make sure that you understand the concepts in the\n [Overview](/assured-workloads/access-approval/docs/overview) page.\n\n- Grant the Access Approval Approver (`roles/accessapproval.approver`)\n IAM role on the project, folder, or\n organization to the [principal](/iam/docs/overview#concepts_related_identity)\n who you want to be able to perform approvals. You can grant the\n Access Approval Approver IAM role to either an\n [individual user](/iam/docs/overview#google_account), a [service account](/iam/docs/overview#service_account), or a\n [Google group](/iam/docs/overview#google_group).\n\n If you are using a custom signing key, you\n must also grant the Cloud KMS CryptoKey Signer/Verifier\n (`roles/cloudkms.signerVerifier`) IAM role to the\n Access Approval service account for your resource. If you are using a\n Google-managed signing key, you don't need to provide any other permissions.\n\n For information about granting an IAM role, see [Grant\n a single role](/iam/docs/granting-changing-revoking-access#grant-single-role).\n\nConfigure settings to receive notifications\n-------------------------------------------\n\nYou have the following options for receiving Access Approval requests:\n\n- Receive requests through email.\n- Receive requests through Pub/Sub.\n\nYou can choose both of these options by following the instructions in\n[Setting up email and Pub/Sub\nnotifications](/assured-workloads/access-approval/docs/review-approve-access-requests-google-keys#email-pubsub).\n\nApprove Access Approval requests\n--------------------------------\n\nAfter you have enrolled some users as approvers, those users receive all\naccess requests. \n\n### Console\n\nTo approve an Access Approval request using the\nGoogle Cloud console, do the following:\n\n1. To see all your pending approval requests, go to the\n **Access Approval** page in the Google Cloud console.\n\n [Go to Access Approval](https://console.cloud.google.com/security/access-approval)\n\n If you have opted to receive Access Approval requests through\n email, you can also go to this page by clicking the link in the email\n sent to you with the approval request.\n | **Note:** You can only see the pending Access Approval requests for the hierarchy level you have selected. For example, if you have selected a folder, you can only see the Access Approval requests made for folder-level resources, not all projects within those folders.\n2. To approve a request, click **Approve**.\n\n You also have the option of dismissing the request. Dismissing the\n request is optional because access continues to be denied even if you\n don't dismiss the request.\n\n If you don't approve the Google employee's access request within 14\n days or before the request expires, the request is automatically\n dismissed.\n3. In the dialog box that opens, select the date and time when you want\n the access to expire.\n\n | **Note:** Bulk approve option doesn't let you select the expiration date and time.\n4. Select **Approve** to approve access till the set expiration date and\n time.\n\n5. Optional: To validate the signature on a request after approving it,\n follow the steps given in\n [Validate a request signature](/assured-workloads/access-approval/docs/validate-request-signature).\n\n### cURL\n\nTo approve an Access Approval request using cURL, do the following:\n\n1. Take the `approvalRequest` name from the Pub/Sub message.\n2. Make an API call to approve or dismiss that `approvalRequest`.\n\n # HTTP POST request with empty body (an effect of using -d '')\n # service-account-credential.json is attained by going to the\n # IAM -\u003e Service Accounts menu in the cloud console and creating\n # a service account.\n curl -H \"$(oauth2l header --json service-account-credentials.json cloud-platform)\" \\\n -d '' https://accessapproval.googleapis.com/v1/projects/\u003cvar\u003ePROJECT_ID\u003c/var\u003e/approvalRequests/\u003cvar\u003eAPPROVAL_REQUEST_ID\u003c/var\u003e:approve\n\n | **Note:** This preceding example is a sample request using cURL. You can approve an access request by appending `:approve` to a POST request to the mentioned URI that contains a unique `approvalRequestId`.\n\n You can reply to a request with one of the following options:\n\nAfter you approve the request, the request status changes to `Approved`. Any\nGoogle employee with characteristics matching the approval scope can make an\naccess within the approved time frame. These matching characteristics include\nthe same justification, location, or desk location.\n\nAccess Approval doesn't provide any IAM role or any\nnew permission to the Google employee who requested access.\n\nIf you don't approve the Google employee's access request, access is denied to\nthe Google employee. Dismissing the request only removes it from your list of\npending requests. If you fail to dismiss an approval request, access continues\nto be denied.\n\nAfter enabling,\n[Access Transparency](/assured-workloads/access-transparency/docs/overview) logs all\naccesses to Customer Data that you approve.\n\nAccess to Google personnel is allowed until the approval expires or the\njustification for access is no longer valid. For example, access expires if the\nsupport case for which Google personnel requested access is closed.\n\nWhat's next\n-----------\n\n- Learn about the [actions by Google personnel that are excluded from\n Access Approval notifications](/assured-workloads/access-approval/docs/overview#exclusions).\n- Learn about the [fields in an Access Approval request](/assured-workloads/access-approval/docs/approval-request-details)."]]
