Closed sapirmesika closed 7 months ago
Is it possible to add multiple values under "RESOURCE_SCOPE" environment variable?
Unfortunately not because the underlying Policy Analyzer API doesn't allow queries for disjoint scopes.
To use JIT Access across all your 10 projects, you'll have to set RESOURCE_SCOPE
to the common ancestor, which I suppose in your case is the organization. You'll also have to grant the JIT Access service account the roles/cloudasset.viewer
role on the organization.
If you set RESOURCE_SCOPE
to the organization, you'd normally also grant roles/iam.securityAdmin
on the organization. But if you're worried that somebody might start using JIT Access for a project that's outside your list of 10 "sanctioned" projects, then you could instead only grant JIT Access the roles/iam.securityAdmin
role on the 10 projects. If somebody tried to activate a role for a "non-sanctioned" project, it would simply fail because JIT Access lacks write-access to that project.
Thanks for your answer. We have one more question, I went through Google's documentation but couldn't find an answer. Do we use beyondcorp license while using IAP? when I had to enable the IAP in the console I noticed that this is a premium feature. I'm pretty sure that AppEngine and Cloud Run are using the IAP free features but we want to make sure we don't get additional charges.
You don't need a BeyondCorp license unless you're planning to use any of the more advanced context-aware access features such as device posture checks or certificate-based access.
I believe this is resolved? Otherwise, please reopen this issue.
Hi, I have a situation where we have many projects in our organization but only 10 projects that we want to add to JIT. The problem is that not all the projects are in the same folder. Some of the projects are directly under the organization, and some are under different folders (which contains other projects that we don't want to add to JIT). Is it possible to add multiple values under "RESOURCE_SCOPE" environment variable? I tried something like RESOURCE_SCOPE: projects/project1, project2 or RESOURCE_SCOPE: projects/project1, projects/project2 and it didn't work.
Is there any way to do it?