Build Access Context Manager access levels with IP ranges, device policies, and identity conditions.
Last verified: May 2026
Build Access Context Manager access levels with IP ranges, device policies, and identity conditions.
Required Fields
accessPolicyaccessLevel.nameaccessLevel.titleaccessLevel.basic.conditionsOutput will appear here...Access Context Manager is the foundation of GCP's BeyondCorp security model, letting you define fine-grained access levels based on device attributes, IP ranges, user identity, and geographic location. These access levels feed into VPC Service Controls perimeters and IAM Conditions to restrict who can reach sensitive APIs and data. This builder walks you through creating access level definitions with conditions for IP subnetworks, device policy requirements, and member identities, then outputs the gcloud commands or Terraform configuration for deployment.
Access Context Manager defines the conditions (access levels) and VPC Service Controls enforces them. You create access levels that describe trusted contexts — such as requests from specific IP ranges or managed devices — then reference those access levels in a VPC Service Controls perimeter's ingress or egress policies. Together, they create a data exfiltration prevention boundary that restricts API access even for users with valid IAM permissions.
Yes. Access levels can also be used in IAM Conditions directly. For example, you can attach a condition to an IAM binding that grants roles/bigquery.dataViewer only when the request comes from a specific access level. However, VPC Service Controls provide stronger protection because they enforce boundaries at the API level, blocking data movement rather than just permission checks.
Your security team needs to ensure BigQuery analytics data can only be accessed from corporate-managed devices on the VPN. The builder generates: an access level requiring (corporate IP range AND device with disk encryption + screen lock + MDM-managed) AND (member in the data-analysts group). This level is referenced in a VPC Service Controls perimeter protecting the BigQuery datasets. Deployment via dry-run for 2 weeks surfaced 3 legitimate workflows the security team didn't know about (a VPN-less SOC analyst, a contractor's BYOD device, an automated reporting service account); exceptions added, then enforced. Data exfiltration risk eliminated.
The builder constructs Access Context Manager access level definitions: basic levels (combinations of conditions: ipSubnetworks, members, devicePolicy, regions, requiredAccessLevels) with combining function (AND/OR), or custom levels (CEL expressions for advanced cases). Output is generated as gcloud access-context-manager commands and Terraform google_access_context_manager_access_level resources.
Access Context Manager + VPC Service Controls is the gold standard for GCP data exfiltration prevention. The combination enforces 'this user can only access BigQuery from a corporate-managed device on a corporate IP' — even valid IAM permissions are insufficient if the access context doesn't match.
Always start access levels in dry-run mode (using VPC SC's dryRun perimeter). Real-world workflows rarely match the security team's mental model exactly — discovery via dry-run is the only safe way to find the legitimate exceptions you need to allow.
Device policy access levels integrate with Endpoint Verification to require corporate-managed devices. Setup is non-trivial (Endpoint Verification has to be deployed via Chrome browser extensions or MDM), but once running, this is genuinely robust BeyondCorp-style security.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.