Just-In-Time Access
Just-In-Time Access is an AppEngine application that lets you manage just-in-time privileged access to Google Cloud projects.
Synopsis
Just-In-Time Access adds the notion of eligible role bindings to Cloud IAM. Unlike a regular IAM role binding, an eligible role binding doesn't grant the user access to a project yet: Instead, a user first has to activate the binding on demand by using the Just-In-Time Access application. Activation is temporary and requires the user to provide a justification (like a bug or case number).
You can use eligible role bindings to grant users privileged (pr break-glass) access to resources without having to grant them permanent access. This type of just-in-time privileged access helps you to:
- Reduce the risk of users accidentally modifying or deleting resources ("fat-fingering").
- Create an audit trails that captures justifications for why privileged access was used.
- Conduct audits and reviews for analyzing past activity.
Using Just-In-Time Access
Just-In-Time Access uses IAM conditions to manage eligible access:
-
As an administrator you can grant a role (to a user or group) and make it eligible by adding a special IAM condition:
has({}.jitAccessConstraint)
You can create the binding for a specific project, or for an entire folder. Instead of granting eligible access to individual users, you can also use groups.
-
As a user, you can list the roles and resources you're eligible to access by using the Just-In-Time Access application.
You can then activate one or more role bindings and provide a justification for doing so. Just-In-Time Access then grants you temporary access to the resource.
-
As an administrator, you can use Cloud Logging to review when and why eligible roles have been activated by users.
Deploying Just-In-Time Access
Just-In-Time Access runs on App Engine (standard) and uses Identity-Aware-Proxy for authentication and authorization.
For detailed instructions on deploying Just-In-Time Access, see Deploying Just-In-Time Access.
Just-In-Time Access is an open-source project and not an officially supported Google product.
All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.