How does Access Context Manager relate to VPC Service Controls?

Access Context Manager defines the conditions (access levels) and VPC Service Controls enforces them. You create access levels that describe trusted contexts — such as requests from specific IP ranges or managed devices — then reference those access levels in a VPC Service Controls perimeter's ingress or egress policies. Together, they create a data exfiltration prevention boundary that restricts API access even for users with valid IAM permissions.

Can I use Access Context Manager without VPC Service Controls?

Yes. Access levels can also be used in IAM Conditions directly. For example, you can attach a condition to an IAM binding that grants roles/bigquery.dataViewer only when the request comes from a specific access level. However, VPC Service Controls provide stronger protection because they enforce boundaries at the API level, blocking data movement rather than just permission checks.

GCP Access Context Manager Builder

IAM & SecurityGCP

Build Access Context Manager access levels with IP ranges, device policies, and identity conditions.

Access Context Manager Configuration

Build Access Context Manager access levels with IP ranges, device policies, and identity conditions.

Required Fields

accessPolicyaccessLevel.nameaccessLevel.titleaccessLevel.basic.conditions

{
  "accessPolicy": "accessPolicies/123456789",
  "accessLevel": {
    "name": "accessPolicies/123456789/accessLevels/corp_network",
    "title": "Corporate Network Access",
    "description": "Allows access only from corporate IP ranges and managed devices",
    "basic": {
      "combiningFunction": "AND",
      "conditions": [
        {
          "ipSubnetworks": [
            "203.0.113.0/24",
            "198.51.100.0/24"
          ]
        },
        {
          "devicePolicy": {
            "requireScreenlock": true,
            "osConstraints": [
              {
                "osType": "DESKTOP_CHROME_OS",
                "minimumVersion": "100.0.0"
              },
              {
                "osType": "DESKTOP_MAC",
                "minimumVersion": "12.0.0"
              }
            ],
            "allowedEncryptionStatuses": ["ENCRYPTED"],
            "requireAdminApproval": true
          }
        },
        {
          "members": [
            "user:admin@example.com",
            "group:sre-team@example.com"
          ]
        }
      ]
    }
  }
}

Generated Output

Output will appear here...

About This Tool

Access Context Manager is the foundation of GCP's BeyondCorp security model, letting you define fine-grained access levels based on device attributes, IP ranges, user identity, and geographic location. These access levels feed into VPC Service Controls perimeters and IAM Conditions to restrict who can reach sensitive APIs and data. This builder walks you through creating access level definitions with conditions for IP subnetworks, device policy requirements, and member identities, then outputs the gcloud commands or Terraform configuration for deployment.

When to Use This Tool

•Defining access levels that restrict GCP console and API access to corporate network IP ranges and managed devices only
•Building device-trust conditions that require screen lock, disk encryption, and a minimum OS version before granting access to production resources
•Creating composite access levels that combine multiple basic access levels with AND/OR logic for layered security policies
•Generating access level configurations for use with VPC Service Controls perimeters to protect BigQuery datasets and Cloud Storage buckets

Frequently Asked Questions

How does Access Context Manager relate to VPC Service Controls?: Access Context Manager defines the conditions (access levels) and VPC Service Controls enforces them. You create access levels that describe trusted contexts — such as requests from specific IP ranges or managed devices — then reference those access levels in a VPC Service Controls perimeter's ingress or egress policies. Together, they create a data exfiltration prevention boundary that restricts API access even for users with valid IAM permissions.
Can I use Access Context Manager without VPC Service Controls?: Yes. Access levels can also be used in IAM Conditions directly. For example, you can attach a condition to an IAM binding that grants roles/bigquery.dataViewer only when the request comes from a specific access level. However, VPC Service Controls provide stronger protection because they enforce boundaries at the API level, blocking data movement rather than just permission checks.

Related Learning Guides

GCP Network Security Guide24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.

GCP Access Context Manager Builder

IAM & SecurityGCP

Build Access Context Manager access levels with IP ranges, device policies, and identity conditions.

Access Context Manager Configuration

Build Access Context Manager access levels with IP ranges, device policies, and identity conditions.

Required Fields

accessPolicyaccessLevel.nameaccessLevel.titleaccessLevel.basic.conditions

Generated Output

Output will appear here...

About This Tool

When to Use This Tool

•Defining access levels that restrict GCP console and API access to corporate network IP ranges and managed devices only
•Building device-trust conditions that require screen lock, disk encryption, and a minimum OS version before granting access to production resources
•Creating composite access levels that combine multiple basic access levels with AND/OR logic for layered security policies
•Generating access level configurations for use with VPC Service Controls perimeters to protect BigQuery datasets and Cloud Storage buckets

Frequently Asked Questions

How does Access Context Manager relate to VPC Service Controls?: Access Context Manager defines the conditions (access levels) and VPC Service Controls enforces them. You create access levels that describe trusted contexts — such as requests from specific IP ranges or managed devices — then reference those access levels in a VPC Service Controls perimeter's ingress or egress policies. Together, they create a data exfiltration prevention boundary that restricts API access even for users with valid IAM permissions.
Can I use Access Context Manager without VPC Service Controls?: Yes. Access levels can also be used in IAM Conditions directly. For example, you can attach a condition to an IAM binding that grants roles/bigquery.dataViewer only when the request comes from a specific access level. However, VPC Service Controls provide stronger protection because they enforce boundaries at the API level, blocking data movement rather than just permission checks.

Related Learning Guides

GCP Network Security Guide24 min read