Just-In-Time Access is an AppEngine application that lets you manage just-in-time privileged access to Google Cloud projects.

Related tags

Spring Boot iam google-cloud privileged-access-management
Overview

Just-In-Time Access

Just-In-Time Access is an AppEngine application that lets you manage just-in-time privileged access to Google Cloud projects.

Synopsis

Just-In-Time Access adds the notion of eligible role bindings to Cloud IAM. Unlike a regular IAM role binding, an eligible role binding doesn't grant the user access to a project yet: Instead, a user first has to activate the binding on demand by using the Just-In-Time Access application. Activation is temporary and requires the user to provide a justification (like a bug or case number).

You can use eligible role bindings to grant users privileged (pr break-glass) access to resources without having to grant them permanent access. This type of just-in-time privileged access helps you to:

  • Reduce the risk of users accidentally modifying or deleting resources ("fat-fingering").
  • Create an audit trails that captures justifications for why privileged access was used.
  • Conduct audits and reviews for analyzing past activity.

Using Just-In-Time Access

Just-In-Time Access uses IAM conditions to manage eligible access:

  • As an administrator you can grant a role (to a user or group) and make it eligible by adding a special IAM condition:

    has({}.jitAccessConstraint)

    You can create the binding for a specific project, or for an entire folder. Instead of granting eligible access to individual users, you can also use groups.

  • As a user, you can list the roles and resources you're eligible to access by using the Just-In-Time Access application.

    You can then activate one or more role bindings and provide a justification for doing so. Just-In-Time Access then grants you temporary access to the resource.

    Screenshot

  • As an administrator, you can use Cloud Logging to review when and why eligible roles have been activated by users.

Deploying Just-In-Time Access

Just-In-Time Access runs on App Engine (standard) and uses Identity-Aware-Proxy for authentication and authorization.

For detailed instructions on deploying Just-In-Time Access, see Deploying Just-In-Time Access.

Just-In-Time Access is an open-source project and not an officially supported Google product.

All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.

You might also like...

A spring cloud infrastructure provides various of commonly used cloud components and auto-configurations for high project consistency

A spring cloud infrastructure provides various of commonly used cloud components and auto-configurations for high project consistency

A spring cloud infrastructure provides various of commonly used cloud components and auto-configurations for high project consistency.

Feb 8, 2022

A high availability shopping(ecommerce) system using SpringBoot, Spring Cloud, Eureka Server, Spring Cloud Gateway, resillience4j, Kafka, Redis and MySQL.

A high availability shopping(ecommerce) system using SpringBoot, Spring Cloud, Eureka Server, Spring Cloud Gateway, resillience4j, Kafka, Redis and MySQL.

High-availability-shopping-system A high availability shopping(ecommerce) system using SpringBoot, Spring Cloud, Eureka Server, Spring Cloud Gateway,

Oct 26, 2022

"Some" Utilities you can use for your Java projects "freely"! Files are compiled with Java-8 and above, but mostly Java-11.

✨ Java-SomeUtils 🚀 "Some" Utilities you can use for your Java projects "freely"! *"Freely"* forcing you to include the license into your program. Fil

Jan 6, 2023

COMPortNotifier - Smol utility to send you a notification every time you connect, or disconnect a COM port.

COMPortNotifier - Smol utility to send you a notification every time you connect, or disconnect a COM port.

COMPortNotifier A smol utility that sends you a notification every time a COM port is connected, or disconnected on your computer. Useful for electric

Sep 7, 2022

A hybrid chat android application based on the features of Instagram and Whatsapp having UI just as Telegram.

A hybrid chat android application based on the features of Instagram and Whatsapp having UI just as Telegram.

GupShup About App It is a free online chat android application, enabling user to create a free user account and then log in using the credentials. Aft

May 22, 2022

AlarmManager (Wobble) is a time management application that helps you wake up

AlarmManager (Wobble) is a time management application that helps you wake up

AlarmManager AlarmManager (Wobble) is a time management application that helps you wake up | | | The app has following features: Alarm: Vocal message

Jan 8, 2022

An app to manage the libraray at school or in public.

MyCalc Intro An app to manage the libraray at school or in public. Written 100% in Java, no permission needed. Finished in about 1 month by Nguyen Huy

Jan 16, 2022

A blockchain system to manage monetary transactions between the different nodes of a decentralized network.

A blockchain system to manage monetary transactions between the different nodes of a decentralized network.

Blockchain under a clear vision A blockchain system to manage monetary transactions between the different nodes of a decentralized network. Authors @s

Jun 9, 2022

React Native plugin to manage Sim card(s) & eSim

react-native-sim-cards-manager A new library that merge multiple sim cards libraries into a single one: https://github.com/markneh/react-native-esim h

Jan 3, 2023
Comments
  • b/260921498 Disable browser caching

    b/260921498 Disable browser caching

    Disable caching for all content to avoid presenting stale data, and to prevent issues after applying a version update.

    Note that most long-lived content (jquery, etc) is served from a CDN anyway.

    opened by jpassing 0
  • b/260523497 Project-based discovery, activation

    b/260523497 Project-based discovery, activation

    • Change logic so that users first select a project, and then select a role to activate. This makes the Policy Analyzer API calls more efficient and allows us to consider inherited IAM role bindings as well.
    • Introduce new GUI that uses a material stepper to find and activate roles
    opened by jpassing 0
Releases(1.1.0)

  • 1.1.0(Dec 3, 2022)

    This is release 1.1 of Just-in-Time Access.

    This release introduces the following new features:

    • Inherited role bindings: You can now grant a user (or group) eligible access to a folder or an entire organization. Users can then activate access for each project in the folder (or organization) individually.
    • New user interface: The application now uses a new, Material design-based user interface.
    • Quicker deployment: The application now uses fewer dependencies and, as a result, is quicker to deploy.

    In addition, the release includes several stability improvements and fixes, including:

    • In some cases, either due to stale browser caches or an expired sign-in session, the frontend showed Loading... instead of redirecting to the sign-in screen.

    For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

    Source code(tar.gz)
    Source code(zip)
Owner
Google Cloud Platform
Google Cloud Platform
GitHub
An API Library that provides the functionality to access, manage and store device topologies found in JSON files using Java and Maven Framework

Topology API ?? About An API library which provides the functionality to access, manage and store device topologies. ?? Description Read a topology fr

Abdelrahman Hamdy 2 Aug 4, 2022
Fall is an app that lets your phone scream if you throw it somewhere.

Fall Fall is an app that lets your phone scream if you throw it somewhere. License Copyright (C) 2022 Gh05t-1337 This program is free software: you ca

null 15 Oct 31, 2022
This project is a backend that lets you create to-do lists.

PROJECT This project is a backend service developed for the todo application. Stack Technologies Java 16 Spring Boot Spring Security Spring Data JPA L

Murat Akbıyık 2 Jun 3, 2022
Java related projects and also a begginer level projects

Java related projects and also a begginer level projects

Akshit Sijwali 3 Dec 15, 2022
Using this library, and writing a few lines of code, you can manage your own domain objects in ZooKeeper

Using this library, and writing a few lines of code, you can manage your own domain objects in ZooKeeper. It provides CRUD operations and change notifications out of the box.

Sahab 4 Oct 26, 2022
A smart personal voice assistant powered by Alan AI. Enjoy hands free application that can manage daily tasks

Todogenix A smart personal voice assistant using Alan AI. Intro Todogenix is a personal assistant app powered by Alan AI that helps store and manage o

Venu Sai Madisetti 8 Mar 15, 2022
循序渐进,学习Spring Boot、Spring Boot & Shiro、Spring Batch、Spring Cloud、Spring Cloud Alibaba、Spring Security & Spring Security OAuth2,博客Spring系列源码:https://mrbird.cc

Spring 系列教程 该仓库为个人博客https://mrbird.cc中Spring系列源码,包含Spring Boot、Spring Boot & Shiro、Spring Cloud,Spring Boot & Spring Security & Spring Security OAuth2

mrbird 24.8k Jan 6, 2023
一个涵盖六个专栏:Spring Boot 2.X、Spring Cloud、Spring Cloud Alibaba、Dubbo、分布式消息队列、分布式事务的仓库。希望胖友小手一抖,右上角来个 Star,感恩 1024

友情提示:因为提供了 50000+ 行示例代码,所以艿艿默认注释了所有 Maven Module。 胖友可以根据自己的需要,修改 pom.xml 即可。 一个涵盖六个主流技术栈的正经仓库: 《Spring Boot 专栏》 《Spring Cloud Alibaba 专栏》 《Spring Clou

芋道源码 15.7k Dec 31, 2022
一套涵盖大部分核心组件使用的Spring Cloud教程,包括Spring Cloud Alibaba及分布式事务Seata,基于Spring Cloud Greenwich及SpringBoot 2.1.7。22篇文章,篇篇精华,32个Demo,涵盖大部分应用场景。

springcloud-learning 简介 一套涵盖大部分核心组件使用的Spring Cloud教程,包括Spring Cloud Alibaba及分布式事务Seata,基于Spring Cloud Greenwich及SpringBoot 2.1.7。22篇文章,篇篇精华,32个Demo,涵盖

macro 5.6k Dec 30, 2022
Demo microservice architecture with Spring ,Spring Cloud Gateway , Spring Cloud config server , Eureuka , keycloak and Docker.

spring-microservice Demo microservice architecture with Spring ,Spring Cloud Gateway , Spring Cloud config server , Eureuka , keycloak and Docker. Arc

null 4 Sep 13, 2022