Console
Start free

Manage access bindings

This page explains how to manage your existing access bindings, which define how access policies are applied to your user groups. You can view, modify, and delete these bindings as needed. Access bindings determine how access levels and session controls are applied to a user group.

For information about how to create access bindings and for more details on access levels and session controls, see Apply policies to user groups with access bindings.

View access bindings

After the access bindings are created for a group of users, access to the Google Cloud console and Google Cloud APIs are controlled based on satisfaction of the bound access level.

You can view the details of the access binding that you created, edit it, or delete it.

Console

  1. In the Google Cloud console, go to the Access Context Manager page.

    Go to Access Context Manager

  2. If you are prompted, select a project. The list of access bindings are listed on the Access Context Manager page.

gcloud

  • To view all access bindings, run the following command:

      gcloud access-context-manager cloud-bindings list \
   --organization ORG_ID

    ORG_ID: Your organization ID. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.

  • To view the details of an access binding, run the following command:

      gcloud access-context-manager cloud-bindings describe \
  --binding=BINDING_ID

    BINDING_ID is the ID of the access-binding or fully qualified identifier for the access binding.

API

  • View all access bindings:

    Before using any of the request data, make the following replacements:

    • ORG_ID is the ID for the organization that you used when creating the GcpAccessAdmin role. If the access-context-manager/organization property hasn't been set, replace ORG_ID in the optional --organization flag with the ID for the organization that you used when creating the GcpAccessAdmin role.

    HTTP method and URL: 

    GET https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings

    To send your request, choose one of these options:

    curl

    Execute the following command: 

    curl -X GET \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"

    PowerShell

    Execute the following command: 

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method GET `
        -Headers $headers `
        -Uri "https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    
{
  "name": string,
  "groupKey": string,
  "accessLevels": [
    string
  ]
  "dryRunAccessLevels": [
  string
  ]
}

  • View the details of an access binding:

    HTTP method and URL: 

    GET https://accesscontextmanager.googleapis.com/v1/BINDING_ID

    To send your request, choose one of these options:

    curl

    Execute the following command: 

    curl -X GET \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         "https://accesscontextmanager.googleapis.com/v1/BINDING_ID"

    PowerShell

    Execute the following command: 

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method GET `
        -Headers $headers `
        -Uri "https://accesscontextmanager.googleapis.com/v1/BINDING_ID" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    
{
  "name": "organizations/427391306986/gcpUserAccessBindings/aAQS-YRSviv2hC12vZFUN3AZzvwa6KV2hJ89iMytB_nHUcT1l",
  "groupKey": "045jfvxd0ybeul8",
  "accessLevels": [
    "accessPolicies/305009197125/accessLevels/device_lock"
  ],
  "dryRunAccessLevels": [
    "accessPolicies/305009197125/accessLevels/another"
  ]
}

Update an access binding

You can update an access binding to do the following:

Console

  1. In the Google Cloud console, go to the Access Context Manager page.

    Go to Access Context Manager

  2. If you are prompted, select a project.

  3. On the Access Context Manager page, select an access binding and then click Edit to update it.

You cannot update access bindings with dry run access levels or session controls in the Google Cloud console.

gcloud

Create a YAML binding file.

gcloud access-context-manager cloud-bindings update
  --binding ACCESS_BINDING
  --binding-file BINDING_FILE_PATH
[  --level DEFAULT_ACCESS_LEVEL ]
[  --dry-run-level DEFAULT_DRY_RUN_ACCESS_LEVEL           ]
[  --session-length=DEFAULT_SESSION_LENGTH                ]
[  --session-reauth-method=DEFAULT_SESSION_REAUTH_METHOD  ]

Replace the following:

ACCESS_BINDING is in the form organizations/ORG_ID/gcpUserAccessBindings/ACCESS_BINDING_NAME.
  • BINDING_FILE_PATH: The path to the YAML file that contains the access binding scheme. The binding file supports only scopedAccessSettings.
  • DEFAULT_ACCESS_LEVEL: The optional access level name, which takes the form accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME. Replace POLICY_ID with the access policy ID, and ACCESS_LEVEL_NAME with the access level name.
  • DEFAULT_DRY_RUN_ACCESS_LEVEL_2: An optional access level name in the form `accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME`. Include this flag to apply the specified dry run access level to all applications by default if they aren't specified in the YAML.
  • DEFAULT_SESSION_LENGTH: The optional session duration in the hour format, such as 15h for 15 hours, or 2h for two hours.
  • DEFAULT_SESSION_REAUTH_METHOD: The optional method to challenge users to re-verify their identity, which must be one of the following:

    • How the --level and --binding-file arguments work together

    Working with session controls

    To remove a default access level or a default dry run access level, provide an empty string, such as --level= or --dry-run-level=. When these arguments are not provided, the update command won't make any changes.

    To remove a session control, set --session-length=0.

    API

  • Create a JSON body.

    {
  "accessLevels": [
    "DEFAULT_ACCESS_LEVEL"
  ],
  "scopedAccessSettings": [
    {
      "scope": {
        "clientScope": {
          "restrictedClientApplication": {
            "clientId": "CLIENT_ID"
          }
        }
      },
      "activeSettings": {
        "accessLevels": [
          "ACCESS_LEVEL_A"
        ],
        "sessionSettings": [
          {
            "sessionLength": "SESSION_LENGTH",
            "sessionReauthMethod": "SESSION_REAUTH_METHOD",
            "sessionLengthEnabled": true
          }
        ]
    }
    },
    {
      "scope": {
        "clientScope": {
          "restrictedClientApplication": {
            "name": "CLIENT_NAME"
          }
        },
        "activeSettings": {
          "accessLevels": [
            "ACCESS_LEVEL_C"
          ]
        }
      }
    }
  ]
}

    Replace the following:

    • Send the PATCH request.

    PATCH https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING?fieldMask=FIELDMASK

    Replace the following:

    ACCESS_BINDING is in the form organizations/ORG_ID/gcpUserAccessBindings/ACCESS_BINDING_NAME.
  • FIELD_MASK: A required, comma-separated list of fields that you want to update. This tells the API which parts of the access binding to modify.

    • fieldMask should contain the top-level JSON keys in the request body that you want to update, which can contain accessLevels, dryRunAccessLevels, and scopedAccessSettings.

    If successful, you should receive a representation of the JSON object. If there is a problem, you receive an error message.

    Delete access bindings

    Console

    1. In the Google Cloud console, go to the Access Context Manager page.

      Go to Access Context Manager

    2. If you are prompted, select a project.

    3. On the Access Context Manager page, select an access binding, and then click Delete.

    gcloud 

       gcloud access-context-manager cloud-bindings delete \
       --binding ACCESS_BINDING

    Replace the following:

    ACCESS_BINDING is in the form organizations/ORG_ID/gcpUserAccessBindings/ACCESS_BINDING_NAME.
  • ACCESS_BINDING_NAME is the unique string returned for the name identifier when the access binding was created.

    • API

    Before using any of the request data, make the following replacements:

    HTTP method and URL: 

    DELETE https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME

    To send your request, choose one of these options:

    curl

    Execute the following command: 

    curl -X DELETE \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME"

    PowerShell

    Execute the following command: 

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method DELETE `
        -Headers $headers `
        -Uri "https://accesscontextmanager.googleapis.com/v1/ACCESS_BINDING_NAME" | Select-Object -Expand Content

    You should receive a successful status code (2xx) and an empty response.