Get started with just-in-time access in Google Cloud Platform
Before you begin
To complete this guide, you’ll need:
- ConductorOne Connector Administrator role or Super Administrator role
- A Google Cloud Platform account
- Ability to set up a service account in GCP
Estimated time: 30 minutes
Step 1: Integrate your GCP instance
Start by integrating your GCP instance with ConductorOne. There are two methods for this:
Google Cloud Platform connector: Use this if you want to only control access to GCP.
Google Workspace & Google Cloud Platform combined connector: use this connector if you intend to control access to both GCP and GWS.
Once connected, ConductorOne ingests all of the projects, resources, and entitlements for Google Cloud. This includes projects and roles. You can see all the resources and entitlements by navigating to Applications > Google Cloud Platform and clicking the Entitlements tab.
Step 2: Configure GCP projects for JIT access
Now that GCP is hooked up to ConductorOne, set GCP projects and roles as available for just-in-time access. To do this, we’ll configure access controls for each of the GCP projects.
Navigate to the Applications page, then click the Google Cloud application created in Step 1.
On the Setup tab, in the Entitlement configuration rules section of the page, click Edit.
In the configuration rules pane, click the toggle to Enable configuration rules.
Select the Project resource type.
Use the Catalogs dropdown to select Everyone.
Finally, check the box at the bottom of the screen and click Apply.
The new settings are applied, and a summary of the configuration is shown in the Entitlement configuration rules section of the page.
Don’t worry, you can change who can request access, for how long, and the policy for approving access later.
Step 3: Request JIT access
Let’s go request GCP JIT access!
In the navigation panel, open App directory and click Browse access.
Click Google Cloud Platform. A panel opens with the projects available for you to request.
Click on the project you want to request, then click Request.
Enter the justification and click Request.
Success!
The request policy routes the request through the approval process. The new access will be automatically provisioned by the GCP connector, and then automatically removed upon expiration.