Approve or deny grants with Privileged Access Manager
When an entitlement has an approval workflow, principals that are specifiedas approvers can approve or deny grant requests for that entitlement.
If the Security Command Center Premium or Enterprise tier is activated at the organizationlevel, then the approval workflow can have two levels of approvals. An approvercan be in one or both approval levels, but can only approve once. After therequired number of first-level approvals are received, email notifications are sentto second-level approvers. After the required number of second-level approvalsare received, the grant moves to theactivestate. If any approver denies the grant, then the grant moves to thedeniedstate and is not sent to any additional approvers. This feature is availableinpreview.
Keep the following in mind when approving or denying a grant request against anentitlement:
You can't approve your own request.
If a request isn't approved or denied in 24 hours, the grant status is changedto
expired. After this, a principal must make a new grant request ifprivilege elevation is still required.
Approve or deny grants using the Google Cloud console
To approve or deny a grant request that has been made against an entitlement,complete the following instructions:
Go to thePrivileged Access Manager page.
Click theApprove grants tab, followed by thePending approvaltab.
Note: Grants created on entitlements that are inherited from a parentresource appear in thePending Approval tab of the parent resource.In the row related to the request you want to approve or deny, clickApprove/deny.
If a justification is required, enter it in theComment field.You can view the history of the grant in theHistory tab.
Click eitherApprove orDeny.
You can view your approval history in theMy approval history tab. Approvalhistory is available for 30 days after an approval action has been taken.Grants created on entitlements that are inherited from a parentresource appear in the approval history of the parent resource.
Approve or deny grants programmatically
To approve or deny grants, you need to complete the following actions:
Search for entitlements you're an approver on.
With the relevant entitlement ID, search for grant requests you can approveor deny.
Approve or deny the grant requests.
Search for entitlements you're an approver on
gcloud
Thegcloud pam entitlements search command with thegrant-approver caller access type searches for entitlements on which you are an approver.
Before using any of the command data below, make the following replacements:
RESOURCE_TYPE: Optional. The resource type that the entitlement belongs to. Use the valueorganization,folder, orproject.RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudpamentitlementssearch\--caller-access-type=grant-approver\--location=global\--RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloudpamentitlementssearch`--caller-access-type=grant-approver`--location=global`--RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloudpamentitlementssearch^--caller-access-type=grant-approver^--location=global^--RESOURCE_TYPE=RESOURCE_ID
You should receive a response similar to the following:
additionalNotificationTargets: {}approvalWorkflow: manualApprovals: requireApproverJustification: true steps: - approvalsNeeded: 1 approvers: - principals: - user:alex@example.comcreateTime: '22024-03-26T11:07:37.009498890Z'etag: 00000000000000000000000000000000000000000000000000000000000=maxRequestDuration: 3600sname: projects/my-project/locations/global/entitlements/ENTITLEMENT_IDprivilegedAccess: gcpIamAccess: resource: //cloudresourcemanager.googleapis.com/projects/my-project resourceType: cloudresourcemanager.googleapis.com/Project roleBindings: - role: roles/storage.adminrequesterJustificationConfig: notMandatory: {}state: AVAILABLEupdateTime: '2024-03-26T11:07:40.056780645Z'REST
The Privileged Access Manager API'ssearchEntitlements method with theGRANT_APPROVER caller access type searches for entitlements on which you are an approver.
Before using any of the request data, make the following replacements:
SCOPE: The organization, folder, or project that the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.FILTER: Optional. Returns entitlements whose field values match an AIP-160 expression.PAGE_SIZE: Optional. The number of items to return in a response.PAGE_TOKEN: Optional. Which page to start the response from, using a page token returned in a previous response.
HTTP method and URL:
GET https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements:search?callerAccessType=GRANT_APPROVER&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements:search?callerAccessType=GRANT_APPROVER&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements:search?callerAccessType=GRANT_APPROVER&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
[ { "name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID", "createTime": "2023-11-21T17:28:39.962144708Z", "updateTime": "2023-11-21T17:28:43.160309410Z", "eligibleUsers": [ { "principals": [ "user:alex@example.com" ] } ], "approvalWorkflow": { "manualApprovals": { "steps": [ { "approvers": [ { "principals": [ "user:bola@example.com" ] } ], "approvalsNeeded": 1 } ] } }, "privilegedAccess": { "gcpIamAccess": { "resourceType": "cloudresourcemanager.googleapis.com/Project", "resource": "//cloudresourcemanager.googleapis.com/projects/my-project", "roleBindings": [ { "role": "roles/storage.admin" } ] } }, "maxRequestDuration": "14400s", "state": "AVAILABLE", "requesterJustificationConfig": { "unstructured": {} }, "additionalNotificationTargets": { "adminEmailRecipients": [ "alex@example.com" ] }, "etag": "00000000000000000000000000000000000000000000000000000000000=" }]Search for grant requests you can approve or deny
gcloud
Thegcloud alpha pam grants search command searches for a grant you can approve or deny, or have already approved or denied. This method doesn't require specific Privileged Access Manager permissions to use.
Before using any of the command data below, make the following replacements:
ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to. You can retrieve the ID by searching for entitlements you're an approver on.CALLER_RELATIONSHIP_TYPE: Use one of the following values:had-approved: Returns grants the caller has approved or denied.can-approve: Returns grants the caller can approve or deny.
RESOURCE_TYPE: Optional. The resource type that the entitlement belongs to. Use the valueorganization,folder, orproject.RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudalphapamgrantssearch\--entitlement=ENTITLEMENT_ID\--caller-relationship=CALLER_RELATIONSHIP_TYPE\--location=global\--RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloudalphapamgrantssearch`--entitlement=ENTITLEMENT_ID`--caller-relationship=CALLER_RELATIONSHIP_TYPE`--location=global`--RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloudalphapamgrantssearch^--entitlement=ENTITLEMENT_ID^--caller-relationship=CALLER_RELATIONSHIP_TYPE^--location=global^--RESOURCE_TYPE=RESOURCE_ID
You should receive a response similar to the following:
additionalEmailRecipients:- bola@example.comcreateTime: '2024-03-07T00:34:32.557017289Z'justification: unstructuredJustification: Renaming a file to mitigate issue #312name: projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_IDprivilegedAccess: gcpIamAccess: resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID resourceType: cloudresourcemanager.googleapis.com/Project roleBindings: - role: roles/storage.admin id: hwqrt_1requestedDuration: 3600srequestedPrivilegedAccess: gcpIamAccess: resource: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID resourceType: cloudresourcemanager.googleapis.com/Project roleBindings: - role: roles/storage.admin entitlementRoleBindingId: hwqrt_1requester: cruz@example.comstate: DENIEDtimeline: events: - eventTime: '2024-03-07T00:34:32.793769042Z' requested: expireTime: '2024-03-08T00:34:32.793769042Z' - denied: actor: alex@example.com reason: Issue has already been resolved eventTime: '2024-03-07T00:36:08.309116203Z'updateTime: '2024-03-07T00:34:32.926967128Z'
REST
The Privileged Access Manager API'ssearchGrants method searches for a grant you can approve or deny, or have already approved or denied. This method doesn't require specific Privileged Access Manager permissions to use.
Before using any of the request data, make the following replacements:
SCOPE: The organization, folder, or project that the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to. You can retrieve the ID by searching for entitlements you're an approver on.RELATIONSHIP_TYPE: Valid values are:HAD_APPROVED: Returns grants the caller has previously approved or denied.CAN_APPROVE: Returns grants the caller can approve or deny.
FILTER: Optional. Returns grants whose field values match an AIP-160 expression.PAGE_SIZE: Optional. The number of items to return in a response.PAGE_TOKEN: Optional. Which page to start the response from, using a page token returned in a previous response.
HTTP method and URL:
GET https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://privilegedaccessmanager.googleapis.com/v1beta/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants:search?callerRelationship=RELATIONSHIP_TYPE&filter=FILTER&pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "grants": [ { "name": "projects/PROJECT_ID/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID", "createTime": "2024-03-06T03:08:49.330577625Z", "updateTime": "2024-03-06T03:08:49.625874598Z", "requester": "alex@example.com", "requestedDuration": "3600s", "justification": { "unstructuredJustification": "Emergency service for outage" }, "state": "APPROVAL_AWAITED", "timeline": { "events": [ { "eventTime": "2024-03-06T03:08:49.462765846Z", "requested": { "expireTime": "2024-03-07T03:08:49.462765846Z" } } ] }, "privilegedAccess": { "gcpIamAccess": { "resourceType": "cloudresourcemanager.googleapis.com/Project", "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "roleBindings": [ { "role": "roles/storage.admin" "id": "hwqrt_1" } ] } }, "requestedPrivilegedAccess": { "gcpIamAccess": { "resourceType": "cloudresourcemanager.googleapis.com/Project", "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "roleBindings": [ { "role": "roles/storage.admin", "entitlementRoleBindingId": "hwqrt_1" } ] } }, "additionalEmailRecipients": [ "bola@google.com" ] } ]}Approve grants programmatically
gcloud
Thegcloud pam grants describe command approves a specific grant request.
Before using any of the command data below, make the following replacements:
GRANT_ID: The ID of the grant you're approving. You can retrieve the ID by searching for grant requests you can approve or deny.ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to.APPROVAL_REASON: Why the grant has been approved.RESOURCE_TYPE: Optional. The resource type that the entitlement belongs to. Use the valueorganization,folder, orproject.RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudpamgrantsapprove\GRANT_ID\--entitlement=ENTITLEMENT_ID\--reason="APPROVAL_REASON"\--location=global\--RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloudpamgrantsapprove`GRANT_ID`--entitlement=ENTITLEMENT_ID`--reason="APPROVAL_REASON"`--location=global`--RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloudpamgrantsapprove^GRANT_ID^--entitlement=ENTITLEMENT_ID^--reason="APPROVAL_REASON"^--location=global^--RESOURCE_TYPE=RESOURCE_ID
You should receive a response similar to the following:
createTime: '2024-04-05T01:17:04.596455403Z'justification: unstructuredJustification: Renaming a file to mitigate issue #312name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_IDprivilegedAccess: gcpIamAccess: resource: //cloudresourcemanager.googleapis.com/projects/my-project resourceType: cloudresourcemanager.googleapis.com/Project roleBindings: - role: roles/storage.adminrequestedDuration: 2700srequester: cruz@example.comstate: SCHEDULEDtimeline: events: - eventTime: '2024-04-05T01:17:04.732226659Z' requested: expireTime: '2024-04-06T01:17:04.732226659Z' - approved: actor: alex@example.com reason: Access allowed under existing policy eventTime: '2024-04-05T01:21:49.139539732Z' - eventTime: '2024-04-05T01:21:49.139463954Z' scheduled: scheduledActivationTime: '2024-04-05T01:21:49.139463954Z'updateTime: '2024-04-05T01:21:49.139463954Z'
REST
The Privileged Access Manager API'sapproveGrant method approves a specific grant request.
Before using any of the request data, make the following replacements:
SCOPE: The organization, folder, or project that the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to.GRANT_ID: The ID of the grant you are approving. You can retrieve the ID by searching for grant requests you can approve or deny.REASON: The reason the grant request was approved.
HTTP method and URL:
POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:approve
Request JSON body:
{ "reason": "REASON"}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:approve"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:approve" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID", "createTime": "2024-03-06T03:08:49.330577625Z", "updateTime": "2024-03-06T23:01:13.964619844Z", "requester": "alex@example.com", "requestedDuration": "3600s", "justification": { "unstructuredJustification": "Emergency service for outage" }, "state": "SCHEDULED", "timeline": { "events": [ { "eventTime": "2024-03-06T03:08:49.462765846Z", "requested": { "expireTime": "2024-03-07T03:08:49.462765846Z" } }, { "eventTime": "2024-03-06T23:01:13.964685709Z", "approved": { "reason": "Approved escalation", "actor": "cruz@example.com" } }, { "eventTime": "2024-03-06T23:01:13.964619844Z", "scheduled": { "scheduledActivationTime": "2024-03-06T23:01:13.964619844Z" } } ] }, "privilegedAccess": { "gcpIamAccess": { "resourceType": "cloudresourcemanager.googleapis.com/Project", "resource": "//cloudresourcemanager.googleapis.com/projects/my-project", "roleBindings": [ { "role": "roles/storage.admin" } ] } }, "additionalEmailRecipients": [ "bola@example.com.com" ]}Deny grants programmatically
gcloud
Thegcloud pam grants describe command denies a specific grant request.
Before using any of the command data below, make the following replacements:
GRANT_ID: The ID of the grant you're denying. You can retrieve the ID by searching for grants you can approve or deny.ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to.DENIAL_REASON: Why the grant has been denied.RESOURCE_TYPE: Optional. The resource type that the entitlement belongs to. Use the valueorganization,folder, orproject.RESOURCE_ID: Used withRESOURCE_TYPE. The ID of the Google Cloud project, folder, or organization that you want to manage entitlements for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudpamgrantsdeny\GRANT_ID\--entitlement=ENTITLEMENT_ID\--reason="DENIAL_REASON"\--location=global\--RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloudpamgrantsdeny`GRANT_ID`--entitlement=ENTITLEMENT_ID`--reason="DENIAL_REASON"`--location=global`--RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloudpamgrantsdeny^GRANT_ID^--entitlement=ENTITLEMENT_ID^--reason="DENIAL_REASON"^--location=global^--RESOURCE_TYPE=RESOURCE_ID
You should receive a response similar to the following:
createTime: '2024-04-05T01:29:13.129192816Z'justification: unstructuredJustification: Renaming a file to mitigate issue #312name: projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_IDprivilegedAccess: gcpIamAccess: resource: //cloudresourcemanager.googleapis.com/projects/my-project resourceType: cloudresourcemanager.googleapis.com/Project roleBindings: - role: roles/storage.adminrequestedDuration: 2700srequester: cruz@example.comstate: DENIEDtimeline: events: - eventTime: '2024-04-05T01:29:13.267878626Z' requested: expireTime: '2024-04-06T01:29:13.267878626Z' - denied: actor: alex@example.com reason: Access denied under existing policy eventTime: '2024-04-05T01:29:49.492161363Z'updateTime: '2024-04-05T01:29:49.492097724Z'
REST
The Privileged Access Manager API'sdenyGrant method denies a specific grant request.
Before using any of the request data, make the following replacements:
SCOPE: The organization, folder, or project that the entitlement is in, in the format oforganizations/ORGANIZATION_ID,folders/FOLDER_ID, orprojects/PROJECT_ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.ENTITLEMENT_ID: The ID of the entitlement that the grant belongs to.GRANT_ID: The ID of the grant you are denying. You can retrieve the ID by searching for grants you can approve or deny.REASON: The reason the grant request was denied.
HTTP method and URL:
POST https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:deny
Request JSON body:
{ "reason": "REASON"}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:deny"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://privilegedaccessmanager.googleapis.com/v1/SCOPE/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID:deny" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "name": "projects/my-project/locations/global/entitlements/ENTITLEMENT_ID/grants/GRANT_ID", "createTime": "2024-03-07T00:34:32.557017289Z", "updateTime": "2024-03-07T00:36:08.309046580Z", "requester": "alex@example.com", "requestedDuration": "3600s", "justification": { "unstructuredJustification": "Emergency service for outage" }, "state": "DENIED", "timeline": { "events": [ { "eventTime": "2024-03-07T00:34:32.793769042Z", "requested": { "expireTime": "2024-03-08T00:34:32.793769042Z" } }, { "eventTime": "2024-03-07T00:36:08.309116203Z", "denied": { "reason": "Outage already resolved", "actor": "cruz@example.com" } } ] }, "privilegedAccess": { "gcpIamAccess": { "resourceType": "cloudresourcemanager.googleapis.com/Project", "resource": "//cloudresourcemanager.googleapis.com/projects/my-project", "roleBindings": [ { "role": "roles/storage.admin" } ] } }, "additionalEmailRecipients": [ "bola@example.com" ]}Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-09 UTC.