Skip to content

Access Management using PAM

This section walks you through the process of requesting and granting access via the Privileged Access Manager (PAM) console in GCP.

Request Access Grants with PAM

You can request a grant using the Google Cloud Console

  • Navigate to PAM:

    • Go to the Google Cloud Console.
    • Navigate to your desired project for requesting elevated access.
    • Go to IAM & Admin > PAM in the navigation menu.

    PAM Navigation

  • Locate the entitlement:

    • Go to the MY ENTITLEMENTS tab.
    • Locate the entitlement for which you want to request a grant. To learn more about choosing the right entitlements, click here ⧉ PAM Navigation

  • Request a grant:

    • In the same row as the entitlement, click Request grant. PAM Navigation

  • Provide details:

    • Duration: Specify the required duration for the grant, up to the maximum duration set on the entitlement.
    • Justification (required): If the entitlement mandates it, provide a clear justification for why you need the elevated access.
    • Optional notifications: You can add additional email addresses to be notified about the grant request. Approvers (Google identities associated with the entitlement) are automatically notified. PAM Navigation

  • Submit request: Click REQUEST GRANT.

  • Check status: To view your grant history and approval statuses, go to the Grants tab, then the GRANTS tab. PAM Navigation

Important notes:

  • Successful grant requests might take a few minutes to take effect.
  • You can only have one active grant against an entitlement at a time.
  • If a grant request requires approval and is not approved or denied within 24 hours, its status changes to Expired. You will need to make a new request.
  • PAM automatically revokes the elevated permissions once the grant duration expires.

Approve access grants

If an entitlement has an approval workflow configured, designated approvers must review and approve grant requests before the privileged access is granted.

Key considerations for approvers:

  • You must be listed as an approver within the entitlement's configuration.
  • You cannot approve your own request.
  • Grant requests that are not approved or denied within 24 hours will expire.

Steps to approve or deny a grant request:

Approvers can manage grant requests through the Google Cloud Console.

  • Navigate to PAM:

    • Go to the Google Cloud Console.
    • Navigate to the desired project for approving grants.
    • Go to IAM & Admin > PAM in the navigation menu.

  • View pending approvals:

    • Click the Approve grants tab, then the PENDING APPROVAL tab. PAM Navigation

    • Review and act:

    • In the row corresponding to the request you wish to approve or deny, click Approve/deny.

    • Comment (if required): If the entitlement requires a justification from the approver, enter your reasoning in the Comment field.
    • Click either approve or deny.

Important Notes for Approvers:

Once a grant is approved, PAM temporarily applies the specified IAM roles to the requester for the approved duration. All approval and denial actions are logged in Cloud Audit logs for compliance and tracking.

PAM Navigation