Configure a custom signing key (Optional)

Access Approval uses a signing key to verify the integrity of the Access Approval request. By default, a Google-owned and managed key is used.

If you have Cloud EKM enabled, you can choose an externally-managed signing key. For information about using external keys, see Cloud EKM overview.

You can also choose to create a Cloud KMS signing key with an algorithm of your choice. For more information, see Creating asymmetric keys.

To use a custom signing key, follow the instructions in this section.

Get the email address of the service account

The email address for the service account is of the following form:

  service-PROJECT_NUMBER@gcp-sa-accessapproval.iam.gserviceaccount.com

Replace PROJECT_NUMBER with the project number.

For example, the email address is service-p123456789@gcp-sa-accessapproval.iam.gserviceaccount.com for a service account in a project whose project number is 123456789.

To use your signing key, do the following:

1. On the Access Approval page in the Google Cloud console, select Use a Cloud KMS signing key (advanced).

2. Add the crypto key version resource ID.

   The crypto key version resource ID must have the following form:

   projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING_ID/cryptoKeys/CRYPTOKEY_ID/cryptoKeyVersions/KEY_ID
   

   For more information, see Getting a Cloud KMS resource ID.

3. To save your settings, click Save.

   To use a custom signing key, you must grant the Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier) IAM role to the Access Approval service account for your project.

   If the Access Approval service account doesn't have the permissions to sign with the key you provided, you can grant the required permissions by clicking Grant. After granting the permissions, click Save.