This page explains how to set up Context-Aware Access, bind access levels to a Google group, and deploy Endpoint Verification. You can use Context-Aware Access to do the following:
Define access policies on Google Cloud resources based on attributes like user identity, network, location, and device state.
Control session length and reauthentication methods for ongoing access.
Context-Aware Access is enforced any time that a user accesses a client application that requires a Google Cloud scope, including the Google Cloud console on the web and the Google Cloud CLI.
Before you begin
Create access levels. You can create basic access levels or custom access levels. Learn more about access levels.
Create a Google group that contains the users that you want the access levels to apply to. To apply Context-Aware Access restrictions, you bind the group to the access levels. To access the resource, users in this group must satisfy at least one of the access levels that you created.
Required roles
Grant the Cloud Access Binding Admin (roles/accesscontextmanager.gcpAccessAdmin) role
at the organization level. This role is required to create Access Context Manager
access bindings.
Console
In the Google Cloud console, go to the IAM page.
In the project selector menu, select your organization ID.
Click Grant access and configure the following:
New principals: Specify the user or group that you want to grant the permissions to.
Select a role: Select Access Context Manager > Cloud Access Binding Admin.
Click Save.
gcloud
Make sure that you're authenticated with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Administrator role.
After you've confirmed that you have the correct permissions, sign in by running the following command:
gcloud auth loginGrant the Cloud Access Binding Admin (
roles/accesscontextmanager.gcpAccessAdmin) role by running the following command:gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member=PRINCIPAL \ --role=roles/accesscontextmanager.gcpAccessAdminReplace the following:
ORGANIZATION_ID: the ID for your organization. You can use the following command to find the organization ID:
gcloud organizations list ``` * <code><var>PRINCIPAL</var></code>: the user or group that you want to grant the role to.
Bind Google groups to access levels
To enforce Context-Aware Access restrictions on who can access Google Cloud resources, you need to bind a Google group to one or more access levels. Users in the specified group are granted access only if they satisfy the conditions that are defined in the bound access levels.
Bind a group to the access level
You can bind the group to the access level using the Google Cloud console or the gcloud CLI.
Console
To bind the group to the access level using the Google Cloud console, do the following:
In the Google Cloud console, go to the Chrome Enterprise Premium page.
Go to Chrome Enterprise PremiumIf prompted, select your organization.
Click Manage Access for Google Cloud console and APIs. The page lists the existing access bindings.
Click Create Binding.
In the Principals section, click Add.
Enter the email address of the Google group that you want to bind.
In the Access levels section, select the access levels that members of the group must satisfy to gain access. Multiple access levels are logically ORed. The logical OR means that to access the resource, the user must meet the conditions of at least one of the selected levels.
To save the access binding, click Save.
The binding might take a few minutes to propagate. After the binding is active, members of the group are subject to the configured access level requirements when they access the Google Cloud console or use tools like the gcloud CLI that interact with Google Cloud APIs.
gcloud
To bind the group to the access level, run the following command:
gcloud access-context-manager cloud-bindings create \ --group-key=GROUP_EMAIL \ --level=ACCESS_LEVEL_ID \ --organization=ORGANIZATION_ID
Replace the following:
GROUP_EMAIL: The email address of the Google group to bind—for example,my-restricted-users@example.com.ACCESS_LEVEL_ID: The full resource name of the access level to apply. The resource name is in the formataccessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME.
You can find POLICY_ID by listing the policies by
running the following command:
gcloud access-context-manager policies list --organization ORGANIZATION_ID
ORGANIZATION_ID: Optional. Your Google Cloud organization ID. The organization ID is required only if you haven't set the default organization in your gcloud CLI configuration.
List group bindings
To list existing bindings, run the following command:
gcloud access-context-manager cloud-bindings list \
--organization ORGANIZATION_ID
Deploy Endpoint Verification
Deploying Endpoint Verification is an optional step that lets you integrate device attributes into your access control policies. You can use this capability to enhance the security of your organization by granting or denying access to resources based on device attributes such as OS version and configuration.
Endpoint Verification runs as a Chrome extension on macOS, Windows, and Linux and lets you create access control policies based on device characteristics like model and OS version, and security characteristics like the presence of disk encryption, a firewall, a screen lock, and OS patches.
What's next
Learn how to require certificate-based access, which adds an additional layer of security by ensuring that only authorized devices can access resources, even if the credentials are compromised.
Deploy the Endpoint Verification extension as an administrator to your organization's company-owned devices by using the Google Cloud console.
Let users install the Endpoint Verification extension themselves.