Enforce certificate-based access for a user group

This page explains how to enforce certificate-based access (CBA) using context-aware access policies that are based on a user group.

You can restrict access to all Google Cloud services by binding a CBA access level to a user group that you want to restrict access to. This restriction applies to all client applications that call the Google Cloud APIs. The applications include both first-party applications built by Google, such as the Google Cloud console and Google Cloud CLI, and third-party applications. Optionally, you can apply the restrictions to specific client applications or exempt specific applications.

Before you begin

Ensure that you have created a CBA access level that requires certificates when determining access to resources.

Create a user group

Create a user group containing the members that should be granted access based on the CBA access level.

Assign the Cloud Access Binding Admin role

Assign the Cloud Access Binding Admin role to the user group.

Ensure that you are authorized with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin and the Cloud Access Binding Admin roles.

Console

In the console, go to the IAM page.
Go to IAM
On the Permissions tab, click Grant access, and then configure the following:
1. New principals: Specify the group to which you want to grant the role.
2. In the Select a role option, select Access Context Manager > Cloud Access Binding Admin.
3. Click Save.

gcloud

Sign in:
```
gcloud auth login
```
Assign the GcpAccessAdmin role by running the following command:
```
gcloud organizations add-iam-policy-binding ORG_ID \
  --member=user:EMAIL \
  --role=roles/accesscontextmanager.gcpAccessAdmin
```
- ORG_ID is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:
```
 gcloud organizations list
```
- EMAIL is the email address of the person or group you want to grant the role to.
Note: For read-only access to the bindings, you can assign the accesscontextmanager.gcpAccessReader role.

Bind a CBA access level to a user group

In this binding option, the CBA access level applies to all of the client applications for the user group that you specify.

In the console, go to the Chrome Enterprise Premium page.
Go to Chrome Enterprise Premium
Choose an organization, and then click Select.
Click Manage access to choose the user groups that should have access.
Click Add and then configure the following:
1. Member groups: Specify the group to which you want to grant access. You can only select groups that are not already bound to an access level.
2. Select access levels: Select the CBA access level to apply to the group.
3. Click Save.

Bind a CBA access level to a user group and specific applications

In some use cases, such as applications that support client certificates, binding a CBA access level to a user group might be too broad. You can use this option to apply CBA access levels to applications that support client certificates.

The following example binds a CBA access level to the Google Cloud console, the gcloud CLI, and a user's OAuth application.

Log into the gcloud CLI.

$ gcloud auth application-default login

Create a policy_file.json file.

You can specify applications using their OAuth client ID. To specify Google applications, use the application name, such as Cloud Console for the Google Cloud console. Only the Google Cloud console and Google Cloud SDK Google applications are supported.
```
{
    "groupKey": "{GROUP_KEY}",
    "restricted_client_applications": [
        {"name": "Cloud Console"},
        {"name": "Google Cloud SDK"},
        {"client_id": "{CLIENT_ID}"}
    ],
    "accessLevels": [ "{LEVEL}" ],
}
```

Create the CBA access level binding.

curl -X POST \
-H "Authorization: Bearer `gcloud auth application-default print-access-token`" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project:PROJECT_ID" \
-d @policy_file.json \
https://accesscontextmanager.googleapis.com/v1/organizations/ORG-ID/gcpUserAccessBindings

Where PROJECT_ID is the Google Cloud project ID and ORG-ID is your organization ID.

(Optional) Update an existing access level binding.

$ curl -X PATCH \
-H "Authorization: Bearer `gcloud auth application-default print-access-token`" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project:PROJECT_ID" \
-d @policy_file.json \
https://accesscontextmanager.googleapis.com/v1/POLICY_NAME?update_mask=restricted_client_applications

Where PROJECT_ID is the Google Cloud project ID and POLICY_NAME is the name of your access policy.

Exempt an application from a binding

Another way to apply a CBA access level without blocking client applications that don't support client certificates is to exempt those applications from the policy.

The following steps assume that you have previously created a CBA access level that requires certificates when determining access to resources.

Create an exemption access level using one of the following methods.
- Custom access level: Provide true as the value in the CEL expression condition.
- Basic access level: Create an IP range-based access level and provide 0.0.0.0/0 as the value for IP subnetworks.
Create an exemption_file.json file.

You must select a group that is different than the group used in the Bind a CBA access level to a user group option, because you can apply only one binding to a group.
```
{
    "groupKey": "{GROUP_KEY}",
    "restricted_client_applications": [
        {"client_id": "{CLIENT_ID}"}
    ],
    "accessLevels": [ "{LEVEL}" ],
}
```

Create the exemption binding policy.

$ curl -X POST \
-H "Authorization: Bearer `gcloud auth application-default print-access-token`" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project:PROJECT_ID" \
-d @exemption_file.json \
https://accesscontextmanager.googleapis.com/v1/organizations/ORG-ID/gcpUserAccessBindings

Where PROJECT_ID is the Google Cloud project ID and ORG-ID is your organization ID.