Augmented Administrative Access Controls

Augmented Administrative Access extends Access Transparency and Access Approval by adding granular control and visibility for select Google Cloud products. This feature lets you review and approve specific, fine-grained actions performed by Google personnel when they access your data or systems as part of providing support.

Enabling this feature might increase the number of approval requests that you receive, potentially delaying Google's ability to provide support for your managed services on Google Cloud. Because of the highly granular nature of augmented requests, administrators might be asked to approve multiple requests within a short window. We highly recommend automating approval request handling by using Pub/Sub when using Augmented Administrative Access.

How it works

When Augmented Administrative Access is enabled, it enhances the information available for both Access Approval requests and Access Transparency logs for supported services. Instead of only seeing the general method of access, you gain insight into the specific commands or actions being performed.

Granularity of control

Augmented controls provide enhanced granularity for both logs and approvals for selected products. The key differences are:

Standard Access Approval and Access Transparency: Show the access method and justification.
Augmented Access Approval and Access Transparency: Provide command-level information, allowing you to see and approve the specific commands Google personnel run when accessing your resources using SSH in supported services.

For example, with Augmented Administrative Access enabled for GKE, you can review and approve each individual command run by a Google administrator on the GKE control plane.

Before you begin

Before you can use Augmented Administrative Access, your organization must have both Access Transparency and Access Approval enabled.

To enable Access Transparency, see Enable Access Transparency.
To enable Access Approval, see Enable Access Approval.

Impact on other access types

Augmented Administrative Access only affects the specific scenarios and services listed in the Supported services and fields section. All other Access Approval requests and Access Transparency logs for unsupported services or scenarios remain unchanged.

Identify augmented Access Transparency logs

Access Transparency logs generated under Augmented Administrative Access are written to Cloud Logging and can be distinguished by the logClass field:

`log_class`	Log type
`ACCESS_TRANSPARENCY`	Standard Access Transparency log
`AUGMENTED_ACCESS_TRANSPARENCY`	Augmented Access Transparency log

Supported services and fields

The following services support Augmented Administrative Access:

Google Kubernetes Engine
- Augmented Control: SSH access to the Google Kubernetes Engine (GKE) control plane.
- Augmented Data Fields:
  - In Access Transparency Logs: tool_commandline
  - In Access Approval Requests: Command
Cloud SQL
- Augmented Control: SSH access to database hosts.
- Augmented Data Fields:
  - In Access Transparency Logs: tool_commandline
  - In Access Approval Requests: Command
AlloyDB for PostgreSQL
- Augmented Control: SSH access to database hosts.
- Augmented Data Fields:
  - In Access Transparency Logs: tool_commandline
  - In Access Approval Requests: Command

Example logs: GKE control plane

When Augmented Administrative Access is enabled for a supported service like GKE, the Access Transparency logs include an augmentedInfo object.

The augmentedInfo field only appears when Augmented Administrative Access controls are enabled and the log has the class AUGMENTED_ACCESS_TRANSPARENCY.

The following example shows a snippet of an augmented log:

{
  "augmentedInfo": {
    "command": "echo showmethelogs"
  },
  "logClass": "AUGMENTED_ACCESS_TRANSPARENCY"
}

Here is an example of a full augmented Access Transparency log:

{
  "insertId": "1234567890abcdefghijk",
  "jsonPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.TransparencyLog",
    "accessApprovals": [
      "projects/PROJECT_NUMBER/approvalRequests/123abcdef"
    ],
    "accesses": [
      {
        "methodName": "GoogleInternal.SSH.Master",
        "resourceName": "//container.googleapis.com/projects/PROJECT_NUMBER/locations/us-central1-c/clusters/example-cluster"
      }
    ],
    "augmentedInfo": {
      "command": "echo showmethelogs"
    },
    "eventId": "1234567890abcdefghijk",
    "location": {
      "principalEmployingEntity": "Google LLC",
      "principalOfficeCountry": "US",
      "principalPhysicalLocationCountry": "US"
    },
    "logClass": "AUGMENTED_ACCESS_TRANSPARENCY",
    "principalJobTitle": "Engineering",
    "product": [
      "Google Kubernetes Engine"
    ],
    "reason": [
      {
        "detail": "For details, please refer to the documentation.",
        "type": "GOOGLE_INITIATED_SERVICE"
      }
    ]
  },
  "logName": "projects/PROJECT_NAME/logs/cloudaudit.googleapis.com%2Faccess_transparency",
  "operation": {
    "id": "1234567890abcdef"
  },
  "receiveTimestamp": "2024-05-03T17:32:44.630281843Z",
  "resource": {
    "labels": {
      "project_id": "PROJECT_NAME"
    },
    "type": "project"
  },
  "severity": "NOTICE",
  "timestamp": "2025-06-07T12:34:56.328083Z"
}

What's next

Learn how to Enable Augmented Administrative Access.
Understand how to read Access Transparency logs.
Review the Access Approval overview.