jpassing
commented
1 year ago Is it possible to add multiple values under "RESOURCE_SCOPE" environment variable?
Unfortunately not because the underlying Policy Analyzer API doesn't allow queries for disjoint scopes.
To use JIT Access across all your 10 projects, you'll have to set RESOURCE_SCOPE to the common ancestor, which I suppose in your case is the organization. You'll also have to grant the JIT Access service account the roles/cloudasset.viewer role on the organization.
If you set RESOURCE_SCOPE to the organization, you'd normally also grant roles/iam.securityAdmin on the organization. But if you're worried that somebody might start using JIT Access for a project that's outside your list of 10 "sanctioned" projects, then you could instead only grant JIT Access the roles/iam.securityAdmin role on the 10 projects. If somebody tried to activate a role for a "non-sanctioned" project, it would simply fail because JIT Access lacks write-access to that project.
sapirmesika
Hi, I have a situation where we have many projects in our organization but only 10 projects that we want to add to JIT. The problem is that not all the projects are in the same folder. Some of the projects are directly under the organization, and some are under different folders (which contains other projects that we don't want to add to JIT). Is it possible to add multiple values under "RESOURCE_SCOPE" environment variable? I tried something like RESOURCE_SCOPE: projects/project1, project2 or RESOURCE_SCOPE: projects/project1, projects/project2 and it didn't work.
Is there any way to do it?