Hi,

For access purposes I've created custom role at organization level and assigned this role to principal at folder level with CEL condition. Unfortunately I'm getting error "You don't have permission to get the role at organizations/ORG_ID/roles" even if Organization Policy Viewer is assigned at folder or organization level. I've configured predefined roles ( screenshot ) and this role is able to activated.
So my question is, whether JIT is able to use custom roles at folder level, or I must grant predefined roles. It's important as per needs, I must use more that 10 RO predefined roles.

Hi,

Today if a JIT controlled role has multi party approval enabled and there are more than 10+ in a team who can approve/review the requests, and the requester uses the "Select all" checkbox - the UI shows an error that there can be maximum 10 recipients. This makes using the checkbox difficult because with our organization most of the groups/app teams are more than 10 people.

We're using an internal SMTP relay to deliver the emails and certainly have no intentions to spam the world with JIT requests, could this restriction be turned off if let's say the SMTP relay is not gmail.com/outlook.com etc?

Thank you!

Hello, we are exploring using this where I work and we have some concerns about allowing peers to approve each others requests.

Is there any appetite for allowing a configurable list of approvers instead? I appreciate this isn't an issue more of a feature request.

I'm happy to try and contribute this in my spare time if you think this is something that would be accepted as a PR.

Instead of showing "You" in the Access Granted overview we should present the user' email address.

think this is more a 'me issue' then a 'JIT issue'.

I have an org policy limiting where resources can be created. Is there a way in cloud build to define the regions being used ?

ERROR: build step 2 "us.gcr.io/gae-runtimes/buildpacks/google-gae-18/java/builder:java_20230227_RC00" failed: step exited with non-zero status: 246
ERROR
Finished Step #2 - "build"
Step #2 - "build": ERROR: failed to export: failed to write image to the following tags: [us.gcr.io/pdcp-cloud-004-bainer/app-engine-tmp/app/default/ttl-18h:74dc1142-8e7a-4c0a-8efa-ae9bd3caf811: GET https://us.gcr.io/v2/token?scope=repository%3Apdcp-cloud-004-bainer%2Fapp-engine-tmp%2Fapp%2Fdefault%2Fttl-18h%3Apush%2Cpull&scope=repository%3Agae-runtimes%2Fbuildpacks%2Fjava11%2Frun%3Apull&service=us.gcr.io: DENIED: Token exchange failed for project 'pdcp-cloud-004-bainer'. Org Policy Violated: 'us' violates constraint 'constraints/gcp.resourceLocations']
Step #2 - "build":       us.gcr.io/pdcp-cloud-004-bainer/app-engine-tmp/app/default/ttl-18h:74dc1142-8e7a-4c0a-8efa-ae9bd3caf811 - GET https://us.gcr.io/v2/token?scope=repository%3Apdcp-cloud-004-bainer%2Fapp-engine-tmp%2Fapp%2Fdefault%2Fttl-18h%3Apush%2Cpull&scope=repository%3Agae-runtimes%2Fbuildpacks%2Fjava11%2Frun%3Apull&service=us.gcr.io: DENIED: Token exchange failed for project 'pdcp-cloud-004-bainer'. Org Policy Violated: 'us' violates constraint 'constraints/gcp.resourceLocations'
Step #2 - "build": *** Images (sha256:5e31c214d357c3c8bbbc978f8ced0ace8daec29866ff0b2c9c1028e2dd1957ed):
Step #2 - "build": Saving us.gcr.io/pdcp-cloud-004-bainer/app-engine-tmp/app/default/ttl-18h:74dc1142-8e7a-4c0a-8efa-ae9bd3caf811...

Org Policy Violated: 'us' violates constraint 'constraints/gcp.resourceLocations'

It seems like the smtp credentials would be stored plain text, which is not ideal. Is there an easy way to:

• have java use an encrypted version of the password
  or
• have app.yaml accept a secrets manager path
  or
• if using IP whitelisting only, not smtp authentication, can the JIT access page display the current CIDR block of the app engine app, to use in the gmail smtp relay settings? Otherwise we would have to input potentially 60-70 CIDR ranges for a region

Hi,

I'm following the set up a development environment instructions. I've installed JDK 17 and maven. I'm running the following commands but unable to reach the app entrypoint on http://localhost:8080/?debug=1.

I'm running the command as described in the wiki:

mvn -X quarkus:dev -s settings.xml -Ddebug=true -Djitaccess.debug=true -Dsuspend=y -Djitaccess.impersonateServiceAccount=jit-access-test@myproject.iam.gserviceaccount.com

I'm using custom settings to point to a proxy maven mirror.

I can only see port 5005 exposed and nothing listening on 8080.

➜  ~ ss -tlpn
State       Recv-Q      Send-Q           Local Address:Port           Peer Address:Port      Process
LISTEN      0           1                    127.0.0.1:5005                0.0.0.0:*          users:(("java",pid=80790,fd=113))
LISTEN      0           128                    0.0.0.0:22                  0.0.0.0:*
LISTEN      0           128                       [::]:22                     [::]:*

Nothing is being logged when hitting the endpoint. I've got stacktrace mode on for the mvn command.

[DEBUG] Launching JVM with command line: /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Dquarkus-internal.serialized-app-model.path=/home/aaa/dev/jit-access/sources/target/quarkus/bootstrap/dev-app-model.dat -javaagent:/home/aaa/.m2/repository/io/quarkus/quarkus-class-change-agent/3.2.3.Final/quarkus-class-change-agent-3.2.3.Final.jar -XX:TieredStopAtLevel=1 -agentlib:jdwp=transport=dt_socket,address=localhost:5005,server=y,suspend=y -Djava.util.logging.manager=org.jboss.logmanager.LogManager -jar /home/aaa/dev/jit-access/sources/target/jitaccess-dev.jar
Listening for transport dt_socket at address: 5005

I haven't tried this in a debugger like intellij as I'm not a java developer. I'm trying to spin this up locally to test against.

Hi,

It would be great if it was possible to activate JIT controlled roles on the organization (and possibly folder) level too. The use case is the following: our organization uses JIT to control roles and provide just in time privileges to everyone in the company. That said there are "central" teams who have roles on the organizational or sometimes folder level - currently it's not possible for them to activate their role on anything else but a project.

A real life scenario is that if the role Security Admin was JIT controlled on the organizational level, there is no option to activate it so role owners could use their privileges on the org level instead of just a single project.

Hopefully this makes sense and it can be added as an enhancement.

Many thanks!

In testing the MPA email workflow I found that if I selected about 10 out of the 12 members of our group to request approval from, it would error out

At least one peer is required: (HTTP 400: error)

Selecting only a few members allowed the approval request to proceed

Add support for URL query parameters in the application to facilitate easier linking and enhance user experience. This would allow users to share specific views within the app by simply appending query parameters to the URL.

This would be very helpful for documentation and playbooks where you can link to a specific project.

Example:

https://jit.example.com/home?project=<PROJECT_ID>

Hi - I'm looking to deploy JIT but want to build an automated end-to-end test where I can validate my deployment in CICD.

I don't see any exposed APIs for interacting with JIT as it appears to be a UI-only application, which makes me think something like Selenium is the only option.

Has anyone else built any automated tests for a real-world deployed version of JIT.

Thinking at the moment the test would add the relevant CEL condition to a binding, then click through the various steps in the UI, maybe asset that a log is produced saying access has been given.

Issue
When following the instructions at https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project

Deployment succeeds, but when selecting a project, including the project the JIT App Engine in, clicking "continue" returns a message "The project doesn't exist, or you don't have permission to activate any roles in this project"

The service account have Cloud Asset Viewer and Security Admin roles.

Steps to reproduce
Follow the steps on https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project
and place the App Engine JIT deployment in its own project.

Add the add-iam-policy-binding scope to folder and use the folder ID to set the roles.

Assign your user the IAP-secured Web App User role and login and proceed to select a project in the folder within scope and continue.

What would be expected?
Clicking continue should accept the project selected and move to role activation.

Based on the Multi Party Approval documentation, "If two users are granted an MPA-eligible role binding for, say roles/compute.admin on project-1, then they can approve each other’s requests."

In short, the qualified approvers will be those who the requester shares the MPA-eligible role binding.

However, it has been observed, when the same condition is set for more than one group on a given scope, but with different description, only the first found group's members are listed as approvers.

Steps to reproduce

1. Apply a multi-part approval IAM condition for a role on two different groups on the same level, using different description.
2. Elevate the user's permission using the configured JIT role.

Peer approvals will be visible from the first found group only.

What would be expected?

Peers should be listed from the group only, that grants the eligibility to the user.

How we think this could be achieved?

The description of the set condition should be taken into consideration when listing the potential approvers.

Our use-case is that we give JIT roles based on group membership and we define in the condition's description which group membership gives access to a certain role, however if a different group's members can elevate their privileges to the same role (using JIT), when listing for approvers only one of the group members will be shown - unless the two conditions are identical (including description).

Currently this configuration forces us not to use unique descriptions in the condition, that lists approvers from all the groups that has access to the same type of JIT role.

Scenario to image

A Logging Admin role is granted both to group A and group B through the same JIT condition on the organization scope. A member in group A wants to elevate its privileges, that requires peer approval. When listing the approvers, peers will be visible both from group A and group B, whereas approvers should be listed from the group, that made the requester eligible to a certain role.

Hello,

Is there any chance to add possibility to change JIT tittle from " Just-in-Time Access" to custom one, provided at app.yaml file ? I know, that this is hardcoded and can be changed ( I did it ), but my deployment is referring to newest release always, so I don't want to use sed and change tittle each time, I update application. This is cosmetic changed imo, but I'm using different tittles for different environments and customers, so would be easier for our engineers to recognize for which env they granting access.

cheers,
Damian

Automate periodic monitoring and upgrading of dependencies. This would help reducing the risk of running vulnerable versions of dependencies, while also minimizing the effort required to do so.

Hi,
I have a situation where we have many projects in our organization but only 10 projects that we want to add to JIT.
The problem is that not all the projects are in the same folder.
Some of the projects are directly under the organization, and some are under different folders (which contains other projects that we don't want to add to JIT).
Is it possible to add multiple values under "RESOURCE_SCOPE" environment variable?
I tried something like
RESOURCE_SCOPE: projects/project1, project2
or
RESOURCE_SCOPE: projects/project1, projects/project2
and it didn't work.

Is there any way to do it?

As an enhancement, we would like the option to request the amount of time a user is given access to a certain role in JIT as part of the request.
We would like that to be an option in the JIT UI instead of an environment variable in the app.yaml.

Dear Team,

I have just followed the below deployment guidelines
https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project
Indeed, I have configured the ingress as Internal+Load Balancer and I used CloudRun service.
Which URL should I use to access the JIT access application?
Could you please guide me on this?

Does JIT Access only support IAM users or groups?
I tried using has({}.jitAccessConstraint) for the service account role, but it does not show up in the JIT Access web UI.
I would like to use JIT to control roles/iam.serviceAccountUser for a specific IAM group for a specific service account.

After selecting a bunch of roles when I go to request the access i get the following:

When I then go look into the logs i see:

{
  "insertId": "648274a7000f094387c4016b",
  "httpRequest": {
    "requestMethod": "POST",
    "requestUrl": "https://XXXX/api/projects/github-actions-cicd-06eb/roles/self-activate",
    "requestSize": "3934",
    "status": 400,
    "responseSize": "713",
    "protocol": "HTTP/1.1"
  },
  "resource": {
    "type": "cloud_run_revision",
    "labels": {
      "service_name": "jitaccess",
      "revision_name": "jitaccess-00008-jb2",
      "location": "australia-southeast1",
      "configuration_name": "jitaccess",
      "project_id": "XXXX"
    }
  },
  "timestamp": "2023-06-09T00:39:03.622399Z",
  "severity": "WARNING",
  "labels": {
    "instanceId": "004d9db0be8960e38fd6f75a63e68b680f9091a069f736ef1a5f8b38c25e410d703863391f896ba75c0eb837ae6345548ebb5b2b54036d9ed4142dd7e725bec9af17"
  },
  "logName": "projects/XXXX/logs/run.googleapis.com%2Frequests",
  "trace": "projects/XXXX/traces/84b07b4ac0f650770f4b429d57e38ba0",
  "receiveTimestamp": "2023-06-09T00:39:03.988956308Z",
  "spanId": "4884238612352887394",
  "traceSampled": true
}

So I think the self activate endpoint is not succeeding so it thinks I have no role selected? Not really sure hoping @jpassing can point me in the right direction.

The only other warning I can see in the logs is:

{
  "insertId": "6482745d00009c10d12199c2",
  "jsonPayload": {
    "logging.googleapis.com/trace": null,
    "message": "The SMTP configuration is incomplete"
  },
  "resource": {
    "type": "cloud_run_revision",
    "labels": {
      "service_name": "jitaccess",
      "revision_name": "jitaccess-00008-jb2",
      "location": "australia-southeast1",
      "project_id": "XXXX",
      "configuration_name": "jitaccess"
    }
  },
  "timestamp": "2023-06-09T00:37:49.039952Z",
  "severity": "WARNING",
  "labels": {
    "instanceId": "004d9db0be8960e38fd6f75a63e68b680f9091a069f736ef1a5f8b38c25e410d703863391f896ba75c0eb837ae6345548ebb5b2b54036d9ed4142dd7e725bec9af17",
    "event": "runtime.startup"
  },
  "logName": "projects/XXXX/logs/run.googleapis.com%2Fstdout",
  "receiveTimestamp": "2023-06-09T00:37:49.179583536Z"
}

But since i'm not using the multiparty approval just yet I think this is to be expected since i haven't set it up.

Automate source code analysis to periodically uncover security vulnerabilities and coding errors. This would help:

• reducing the number of security vulnerabilities in the application code, and
• preventing developers from introducing new vulnerabilities.

If MPA is configured, we are only allowed to select only one role at a time.

We have a situation for infrastructure engineers (i.e. terraform) that will require a lot of roles at a time, so clicking daily on multiple roles is cumbersome.

Even when creating Custom IAM roles, we still have limit on number of permissions and etc so we end up having multiple custom roles.

Hello,

I'm trying to use JitAccess at the moment and I'm having a problem with the way it works.
Unless I'm mistaken, JitAccess uses Cloud Asset to read permissions and IAM (via security.admin) to write them.

The problem I'm having is that I have a huge latency between the action of adding permissions on IAM (by configuring rights with the constraint "has({}.jitAccessConstraint)") and its read availability on CloudAsset (>48h).

I've opened a ticket with GCP about this latency and they tell me that it's the 'normal' operation of CloudAsset, which updates on a 'best effort' basis, and that it can sometimes take a while to synchronise (= every time for me since I've been doing the tests).
This makes using this tool very complicated (not responsive enough to add/remove temporary permissions).

Is this a problem you're having too? And, if so, do you have any advice to offer?
Is it possible not to use CloudAsset for reading? Maybe directly via IAM to avoid this latency?
Or maybe am I using the tool incorrectly?

Thank you

ps : i'm using 1.3 on cloudrun, i will try to update it to see if it improves this issue .

Would be helpful to have the release version displayed in the footer near Powered by JIT Access

Hello,

I'm using JIT to enable self-approval process for projects placed at dedicated folder, so JIT configuration is set to folder. Due to errors with custom roles, I'm granting few Viewer roles like Compute Viewer, Logging Viewer and so on. Unfortunately, when I want to choose all roles and request access, I'm getting error "At least one role is required (HTTP 400: error)". I've tried to use latest version of JIT as well as version from master branch, both giving mentioned error . What is interesting, I'm able to activate all roles one by one, but not in a bulk.

cheers,
Damian

I know the documentation makes mention of

'Super-admin access to the Cloud Identity or Google Workspace account that corresponds to the Google Cloud organization that you're using.'

But I am curious if it can operate with less. If we dont have org level permissions can this work further down at the folder lervel to delegate down to sub folder/project levels.

Can it ?

Hey, we are facing a very weird issue where JIT is resulting in a 403 only for the members of a certain group. The service account and its roles have been double checked and the deployment was repeated by following the JIT documentation twice.

The group in question is a group that provides read access on every project in the organization next to some other roles.

What could be causing this issue? Its very confusing that having more permissions results in a 403.

Here is the error: Loading projects failed: Listing available projects failed, see logs for details (HTTP 403: error)

Could we have a simple "Select all" checkbox on the web UI when there are multiple roles to be activated? Imagine a scenario with 5-8 roles available for activation, could we have a "select all" instead of manually checking all checkboxes one-by-one?

Currently a log is written that captured whom activated which role on which project, but it does not contain the duration.

One feature that would be useful for the MPA worklfows is to set to have MIN_APPROVERS=2, where if there's 5 ACTIVATION_REQUEST_MAX_REVIEWERS in the list, 2 would be required, otherwise default to 1 approval only.

The current application is limited to running on AppEngine or Cloud Run due to runtime constraints. This feature request seeks to expand the deployment options to include Kubernetes as well.

Hello World! 👋🏼

Background:

• Demo environment (users are already associated to numerous groups within Google Workspace)
• Those same Google Groups (some of) are currently set (inherited) as GCP IAM principles with permissions across org/projects
  • These IAM principles have different GCP permissions across different projects
  • A flavor or org-inherited and per-project
• Successfully implemented JIT using Cloud Function as well as multi-party approval
• We have successfully tested the process of MPA from start to finish with some users and works successfully
  • I have even gone to the extent of testing the access and verifying the constraint condition present in GCP IAM UI

• We have tried to narrow down this issue by (via code) allowing one Google Workspace group, a set of defined roles for all GCP projects which works for some users and not others

Problem:

• Depending on the specific scenario, I.E user and associated Google Workspace group, only select roles are available per-project

Hypothesis:

• To prove this, I performed a strategic approach to applying per single-group membership to a user account and continuously testing the same request in JIT app UI. From testing, it follows suit of process of elimination of the Google Workspace groups.
• TL;DR.. It seems that based on some logic, different groups the user is associated to on Workspace, is reflected within the JIT App UI (dependent on the project and roles available) are being chosen almost at random
• It does not seem to be order from what is displayed within Google Workspace UI (tested ✅ )
• It does not seem to be A-Z/top-down (tested ✅ )

Potentially Related:

• #81

Request:

• Is anyone able to elaborate on what this logic is? IIAMC here
• The preferrable would be a logic change that can be defined from the JIT application configuration

PLMK if you need anything else (it's a difficult one to explain on paper) and TYIA! 🙏🏼

The current MPA workflow allows anyone in the list to approve, however there was a question to be able to add a button in the email, to deny the request too. Without knowing the level of effort on this feature add, I could imagine a subset of the recipients being named in a list maybe [email protected] (terrible var name perhaps, apologies), and as long as that is a nested group within the group of [email protected] eligible for JIT roles, their email would include a red deny button?

This is half question, half suggestion, but it doesn't look like this supports IAM bindings below project in the hierarchy (right?). In our case, we'd like to add JIT access to individual GCS buckets, but after entering the appropriate project in step 1 of the request workflow, the roles that are returned don't include the bucket-level bindings. Would it be possible to add support for individual resources (if it doesn't already exist)?

While it might seem like a long shot, this issue primarily stems from the API and not this tool. Nevertheless, it's valuable to engage in a discussion regarding this matter and explore potential solutions.

When a temporary IAM binding is established, it appears in GCP's IAM view, complete with the condition name in the 'Conditions' column. The underlying 'problem' arises when these temporary bindings expire; they persist in the IAM view, potentially causing the list to grow significantly. Here's an example of an expired binding that remains visible in the IAM list:

I recall from a different issue thread that the intentional absence of a database was a deliberate design choice, driven by security considerations. A database would simplify the cleanup process. However, even though this issue is primarily related to the API and not the JIT tool, is there a way to address it within the application itself?

• Could the application, for instance, store a local file to keep track of projects requiring cleanup?
• Or could it publish project IDs to a Pub/Sub, allowing a background job to check for expired bindings?
• Another possibility is for the application to retain this information in memory.

On the first step of choosing project it takes a long time or times out when listing projects matching the pattern.

We have RESOURCE_SCOPE set to point to our organization. We have 2 jit instances:

• on production one we have jit available for 14 projects out of 60 in total and it times out when listing projects. (When we had less projects available for jit on production it was working)
• on staging jit instance we have 6 projects set with jit out of all organization 60 and it works there (quite slow, but works).

Maybe there is a way to speed it up or provide some env variable at least to increase timeout for listing projects suggestions. Other possible solution could be possibility to add custom list of project under RESOURCE_SCOPE variable so that there would be option to provide list of projects that are configured for jit access only.

there is an issue we are facing right now, say our pipline needs the access for at least 60 minutes , but then the JIT access expires in about 20 minutes. we jumped on the JIT tool but we are not able to re-generate the new acesss cause its already active. it would be really nice if we could extend already active access. Thanks.

Hi all,

I recently had some thinking about JIT and GCP. The way it works now, it's great for human developers.

On the other hand, my Cloud Build service account requires plenty of privileges to deploy the application. It's a good idea to activate the permissions only when needed.

Potential objectives would be an exposition of JIT API next to the GUI web application. It would give the users the ability to integrate JIT with their applications.

I will be happy to elaborate more about this subject.

Hello,

I've tried to use latest version of JIT, however, during deploy, I'm getting those errors:

File upload done. │ Updating service [default]... │ .........................................................................................................................................failed. │ ERROR: (gcloud.app.deploy) Error Response: [9] Cloud build baf7b53d-2bed-4b16-9e91-e4d8dd4a1c38 status: FAILURE │ ...from central: https://repo.maven.apache.org/maven2/org/apache/xbean/xbean-reflect/3.4/xbean-reflect-3.4.jar │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-compiler-manager/2.2/plexus-compiler-manager-2.2.jar (4.6 kB at │ 8.5 kB/s) │ [INFO] Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-compiler-javac/2.2/plexus-compiler-javac-2.2.jar (19 kB at 35 │ kB/s) │ [INFO] Downloading from central: https://repo.maven.apache.org/maven2/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.jar │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-classworlds/2.2.2/plexus-classworlds-2.2.2.jar (46 kB at 81 kB/s) │ [INFO] Downloading from central: https://repo.maven.apache.org/maven2/com/google/collections/google-collections/1.0/google-collections-1.0.jar │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-container-default/1.5.5/plexus-container-default-1.5.5.jar (217 kB │ at 371 kB/s) │ [INFO] Downloading from central: https://repo.maven.apache.org/maven2/junit/junit/3.8.2/junit-3.8.2.jar │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.jar (45 kB at 68 kB/s) │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/xbean/xbean-reflect/3.4/xbean-reflect-3.4.jar (134 kB at 205 kB/s) │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (358 kB at 524 kB/s) │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/3.8.2/junit-3.8.2.jar (121 kB at 168 kB/s) │ [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/com/google/collections/google-collections/1.0/google-collections-1.0.jar (640 kB at 874 kB/s) │ [INFO] Changes detected - recompiling the module! │ [INFO] Compiling 37 source files to /workspace/target/classes │ [INFO] ------------------------------------------------------------------------ │ [INFO] BUILD FAILURE │ [INFO] ------------------------------------------------------------------------ │ [INFO] Total time: 01:08 min │ [INFO] Finished at: 2023-09-25T06:54:42Z │ [INFO] ------------------------------------------------------------------------ │ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project jitaccess: Fatal error compiling: error: │ invalid target release: 17 -> [Help 1] │ [ERROR] │ [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. │ [ERROR] Re-run Maven using the -X switch to enable full debug logging. │ [ERROR] │ [ERROR] For more information about the errors and possible solutions, please read the following articles: │ [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException │ Full build logs: https://console.cloud.google.com/cloud-build/builds;region=europe-central2/baf7b53d-2bed-4b16-9e91-e4d8dd4a1c38?project=357490486308

JIT version 1.4.1, downloaded from : https://github.com/GoogleCloudPlatform/jit-access/releases

cheers,
Damian

Hello

I have experienced an issue when attempting to incorporate either default (not primitive), or custom billing-based permissions into JIT.

Example custom role (deployed with terrform) is infra.analyst.billing.write. Example of errors from my workflows when attempting

│ Error: Error applying IAM policy for organization "X": Error setting IAM policy for organization "X": googleapi: Error 400: Role roles/infra.analyst.billing.write is not supported for this resource., badRequest
│ 
│   with module.organization-iam-bindings.google_organization_iam_member.organization_iam_additive["default--roles/infra.analyst.billing.write--group:[email protected]"],
│   on .terraform/modules/organization-iam-bindings/modules/organizations_iam/main.tf line 49, in resource "google_organization_iam_member" "organization_iam_additive":
│   49: resource "google_organization_iam_member" "organization_iam_additive" {

I confirmed that the role has been procured and is valid at org-level within GCP (and therefore inherited to all projects).

My hypothesis: As per here, although we have GCP JIT configured and working to request roles from ALL projects within GCP, due to the nature of the IAM Resource Hierarchy and the fact that billing as an entity sits outside of org-level and project-level, then JIT is failing the ability to assign this role since it does not "technically" exist at either level of IAM. (?)

Hoping to confirm:

1. If my hypothesis is correct
2. Is anyone else seeing the same problems?
3. If so, how did they identify a workaround within JIT if possible?

TYIA!

Hi,

It would be great if it were possible to have time-bound access, with the user requesting access being able to select the start and end dates.

Many thanks!

Howdy guys just got through getting all the terraform to set this up. Then after authentication I get a mostly blank page. It even doesn't tell me who I am signed in as.

When I look at the chrome console I see
Failed to load resource: the server responded with a status of 403 (Forbidden) /api/policy:1
Navigating to that page also shows:

{"message":"Missing header: X-JITACCESS"}

But this might be because I am not supposed to navigate directly so might not be relevant.

At first I thought it might be an issue since the cloud identity api is not protected by VPC SC, so I have updated the dns entry to allow it to use the private.googleapis.com so I know its not a VPC SC thing.

Any ideas on how to resolve this is most appreciated.

Hello,

We are looking into using this tool for our org because it definitely ticks all the boxes. Our setup is on Cloud Run with ingress internal-and-cloud-load-balancing. Members of our org can login properly so I guess brand and client are set correctly. However, when selecting project it's not possible to continue to next step with the error message The project doesn't exist, or you don't have permission to activate any roles in this project. I doubt that project is an issue because they are listed properly with auto-complete.

jitaccess service account has Security Admin, Cloud Asset Viewer and Cloud Debugger Agent roles. I wasn't able to find anything in Cloud Run logs. Request to api/projects/PROJECT_ID/roles returns empty response {"warnings":[],"roles":[]}.

Things I've tried so far:

• deploy from master and latest branch
• cloud run with projects/XXXXXX and organizations/XXXXXXX
• same project as cloud run deployment and different project
• conditional roles for both user and group

Any guidance would be greatly appreciated!

I'm curious if it's feasible to offer pre-built images for download from a publicly accessible repository. This would help expedite the deployment of the tool, eliminating the need for manual setup.

Configuration

• version: 1.4.0
• scope: Project

Description

After deploying the application following along the steps for Cloud Run in this guide, the error message Invalid IAP assertion (HTTP 403: error) caused by this exceptions appeared.

I tried disabling HTTPS forwarding and granting the role/run.invoker to the SA service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com , as explained in the documentation about IAP and Cloud Run

Feature Request:

I would like jit-access to send an HTTP request to a webhook when access is requested.

Example:
When a user requests access to a role in a project, jit-access will send an POST request to a Slack webhook with a given body.

I have a case where when I do a manual deploy the app works fine ,but when I deploy using terraform code , the app does not function as expected. I just get a blank page with Just-In-Time Access and it does not say signed in as myself, does not list any options for projects etc.The GCP logs show no errors or warnings. Trying to see if I can run this debug mode. And how would I do that ?
The same terraform code works fine in a different GCP project.

GCP has been of zero help. trying to see if I anyone has run into this issue before. Or if you can show me how to enable debug on this application to get more logs.

Thank you

I have just followed the below deployment guidelines
https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project
Indeed, I have configured all steps as per the document.
However when i access the JIT URL and I am getting an error (Project
Listing project roles failed, see logs for details (HTTP 403: Forbidden )
The roles for JIT sa is mapped based on the document instruction

We're currently lacking registry & building itself of dockerfile as part of CI pipeline.

I can implement that functionality so we can have official JIT image repo, but I'm not sure where's the right place to store the container images? Do you know @jpassing?

Hi Team, I have this weird issue where in which the deployment works perfectly fine when running gcloud commands locally from IDE.
When i created Jenkins piepline and triggered the same , it is failing to deploy.In both the cases I am impersonating the JIT Service account.
After investigation , it is found that maven build pack is not being resolved when running through Jenkins.

Local Deployment

4 of 5 buildpacks participating
google.java.runtime      0.9.1
google.java.maven        0.9.0
google.java.appengine    0.9.0
google.utils.label-image 0.0.2

Jenkins Deployment

3 of 5 buildpacks participating
google.java.runtime      0.9.1
google.java.appengine    0.9.0
google.utils.label-image 0.0.2

Here is where the build step failng since it is missing Maven. Apart from this i couldnt find any other clue to fix this ? could you please suggest me what i am doing wrong?