Privileged Just-in-time access on Google Cloud with JIT

Рет қаралды 942

Күн бұрын

Just-In-Time privileged access is a method for managing access to Google Cloud projects in a more secure and efficient manner. It's an approach that aligns with the principle of least privilege, granting users only the access they need to perform specific tasks and only when they need it. This method helps reduce risks, such as accidental modifications or deletions of resources, and creates an audit trail for tracking why and when privileged access is activated.
The Just-In-Time Access tool (JIT), an open-source application created by Google. It supports this model by allowing administrators to grant eligible access to users or groups. This access is not immediately available; users must actively activate it and provide a justification. The activated access then automatically expires after a short period.
I've crafted a dedicated blog post and an accompanying video that delve deeply into the subject, comprehensively addressing everything from the most typical JIT use cases to instructions on constructing and deploying via Terraform, as well as all the necessary configurations required to implement it successfully in organisations of any scale.
An accompanying blog serves as the foundation for the video content, and you can find it at practical-gcp..... You're welcome to choose whether you'd like to read the blog before watching the video or use the video as your primary guide, depending on your preference.
05:48 - About Identity Aware Proxy (IAP)
10:31 - Prerequisites
15:53 - Explaining the code (Terraform)
29:43 - Running the code
34:43 - Demo of JIT
38:31 - Troubleshooting

Пікірлер: 11

@neeldarji5167 7 ай бұрын

I am trying to implement JIT for GCP in our Organization. From what I understand from this video is, GCP does not have native solution to support JIT, but this Open-Source tool they have developed. And as this is open source, we cannot have any support from Google in case in future we encounter any issues after implementing this solution. Now there is PAM feature in GCP they have introduced for JIT. Is there any license cost associated with it? Is there any document anyone can share here? Share your thoughts on all above points I mentioned here.

@practicalgcp2780 7 ай бұрын

I haven’t tried it yet but if you look at the PAM comment in the other thread, you can find it under IAM admin. I don’t believe it needs any licence it’s just a service gcp provides like most other native services. JIT is open source, probably gives you more control if you prefer to manage this yourself or make changes to it to suit your customisation need but as the other thread suggested, I agree you should try PAM first before looking at JIT

@practicalgcp2780 7 ай бұрын

And I cannot find any documentation about it either

@nrohankar 7 ай бұрын

Can we login to jit console using a gcp service account? I want to give a project access to a particular gcp service account.

@PMSarath 8 ай бұрын

We can use PAM instead of JIT

@richardshenghua 8 ай бұрын

Do you mind giving more information on what you are referring to? I am aware Google has something coming out at some point as an alternative but still in private review.

@PMSarath 8 ай бұрын

@@richardshenghua GCP has already rolled out PAM(Privileged Access Manager) which is located in "IAM & Admin" service.

@richardshenghua 8 ай бұрын

@@PMSarathaha nice, yup this is the same thing I was referring to that I knew was in private review but didn't realised it's there. But it's still in public review and have you already tried it and does it offer the same features such as requesting "without" approval? Would be good if you could share your experienced if you have tried to understand how well it works compares to JIT

@PMSarath 8 ай бұрын

Certainly! Despite being in preview mode, we've successfully deployed it within our organization. The functionality is quite similar to JIT and PAM also supports requesting without approval. Here's a concise overview of the console process: 1. Navigate to "IAM & Admin" -> Click "PAM". 2. Click on "Create" to initiate a new entitlement. 3. Provide details such as entitlement name, resource, role (up to 5 roles currently), and grant duration (ranging from min 1 hour to a maximum of 24 hours). 4. Add the Requesters principal, along with optional justification. 5. Include Approvers with or without approval principal/justification. 6. Optionally, add extra notification principals for receiving notifications.

@richardshenghua 8 ай бұрын

@@PMSarathamazing will have a look as well.