0
0
GCPcloud~7 mins

Access Context Manager in GCP - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Access Context Manager helps you control who can access your Google Cloud resources based on conditions like location or device security. It solves the problem of allowing access only when certain rules are met, improving security.
When you want to allow employees to access cloud apps only from the office network.
When you need to block access from devices that are not secure or managed.
When you want to restrict access to sensitive data based on user location.
When you want to enforce multi-factor authentication only in risky situations.
When you want to create rules that combine user identity and device security for access.
Config File - access_policy.yaml
access_policy.yaml
accessPolicies:
- name: accessPolicies/1234567890
  title: "Example Access Policy"
  scopes:
  - "organizations/1234567890"
  accessLevels:
  - name: accessPolicies/1234567890/accessLevels/office_access
    title: "Office Access Level"
    basic:
      conditions:
      - ipSubnetworks:
        - "192.168.1.0/24"
        devicePolicy:
          requireScreenLock: true
          osConstraints:
          - osType: "DESKTOP_WINDOWS"
            minimumVersion: "10"
  servicePerimeters:
  - name: accessPolicies/1234567890/servicePerimeters/perimeter1
    title: "Example Perimeter"
    status:
      resources:
      - "projects/1234567890"
      restrictedServices:
      - "storage.googleapis.com"
      accessLevels:
      - "accessPolicies/1234567890/accessLevels/office_access"

This YAML file defines an Access Context Manager policy for an organization.

  • accessPolicies: The main container for access rules.
  • accessLevels: Define conditions like allowed IP ranges and device security.
  • servicePerimeters: Define boundaries that restrict access to services unless conditions are met.
Commands
Lists all Access Context Manager policies in your organization to see existing policies.
Terminal
gcloud access-context-manager policies list
Expected OutputExpected
NAME TITLE 1234567890 Example Access Policy
Creates a new Access Context Manager policy for your organization with a title.
Terminal
gcloud access-context-manager policies create --organization=1234567890 --title="Example Access Policy"
Expected OutputExpected
Created access policy [1234567890].
--organization - Specifies the organization ID where the policy is created
--title - Sets a friendly name for the policy
Creates an access level named 'office_access' that allows access only from the specified IP range and requires device screen lock.
Terminal
gcloud access-context-manager levels create office_access --policy=1234567890 --title="Office Access Level" --basic-ip-subnetworks=192.168.1.0/24 --basic-device-require-screenlock
Expected OutputExpected
Created access level [office_access].
--policy - Specifies the policy ID to attach the access level
--basic-ip-subnetworks - Defines allowed IP address ranges
--basic-device-require-screenlock - Requires devices to have screen lock enabled
Creates a service perimeter named 'perimeter1' that restricts access to the storage service unless the 'office_access' level conditions are met.
Terminal
gcloud access-context-manager perimeters create perimeter1 --policy=1234567890 --title="Example Perimeter" --resources=projects/1234567890 --restricted-services=storage.googleapis.com --access-levels=office_access
Expected OutputExpected
Created service perimeter [perimeter1].
--policy - Specifies the policy ID to attach the perimeter
--resources - Lists the projects or resources inside the perimeter
--restricted-services - Specifies which services are restricted by this perimeter
--access-levels - Links access levels that allow crossing the perimeter
Lists all service perimeters under the specified policy to verify creation.
Terminal
gcloud access-context-manager perimeters list --policy=1234567890
Expected OutputExpected
NAME TITLE perimeter1 Example Perimeter
--policy - Specifies the policy ID to list perimeters
Key Concept

If you remember nothing else from this pattern, remember: Access Context Manager lets you set rules that control access to cloud resources based on user location, device security, and other conditions.

Common Mistakes
Not specifying the correct organization ID when creating policies.
The policy will not be created or will be created in the wrong place, causing access rules to not apply.
Always use the correct organization ID with the --organization flag.
Creating access levels without proper IP ranges or device requirements.
Access levels will be too open or too restrictive, defeating the purpose of conditional access.
Define clear IP subnetworks and device policies that match your security needs.
Not linking access levels to service perimeters.
Service perimeters will block access even if users meet access level conditions.
Always specify access levels when creating or updating service perimeters.
Summary
Use gcloud commands to create and manage Access Context Manager policies, access levels, and service perimeters.
Access levels define conditions like allowed IP ranges and device security for access.
Service perimeters restrict access to services unless users meet access level conditions.