Just-In-Time Access is an open source application that lets you implement just-in-time privileged access to Google Cloud resources.
Just-In-Time Access works by introducing the notion of eligible role bindings to Cloud IAM. Unlike a regular IAM role binding, an eligible role binding doesn't grant the user access to a project yet: Instead, a user first has to activate the binding on demand by using the Just-In-Time Access application. As an administrator, you can decide whether activating a role requires approval, or whether users only need to provide a justification (like a bug or case number).
You can use eligible role bindings to grant users privileged (or break-glass) access to resources without having to grant them permanent access. This type of just-in-time privileged access helps you to:
As a user, you can activate a role in three steps:
After validating your request, the application then grants you temporary access to the project.
For roles that require multi-party approval, you can request access in four steps:
Your selected peers are notified via email and can approve your request. Once approved, the application grants you temporary access to the project and notifies you via email.
As an administrator, you can grant a role (to a user or group) and make it eligible by adding a special IAM condition:
has({}.jitAccessConstraint)
(no approval required)has({}.multiPartyApprovalConstraint)
(multi-party approval required) You can create the binding for a specific project, or for an entire folder. Instead of granting eligible access to individual users, you can also use groups.
To limit access to a subset of resources, you can also include a resource condition in the IAM binding.
As an administrator, you can use Cloud Logging to review when and why eligible roles have been activated by users. For each activation, the Just-In-Time application writes an audit log entry that contains information about:
Just-In-Time Access runs on App Engine (standard) and Cloud Run. The application is stateless and uses Identity-Aware-Proxy for authentication and authorization, and the Cloud Asset API and IAM API to manage access.
For detailed instructions on deploying Just-In-Time Access, see Manage just-in-time privileged access to projects on the Google Cloud website.
Just-In-Time Access is an open-source project and not an officially supported Google product.
All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.