Get the Guide to Modern IGA

ConductorOne docs

Get started with just-in-time access in Google Cloud Platform

Follow this guide to get started with just-in-time (JIT) access to your Google Cloud Platform (GCP) resources.

Before you begin

To complete this guide, you’ll need:

  • ConductorOne Connector Administrator role or Super Administrator role
  • A Google Cloud Platform account
  • Ability to set up a service account in GCP

Estimated time: 30 minutes

Step 1: Integrate your GCP instance

Start by integrating your GCP instance with ConductorOne. There are two methods for this:

Once connected, ConductorOne ingests all of the projects, resources, and entitlements for Google Cloud. This includes projects and roles. You can see all the resources and entitlements by navigating to Applications > Google Cloud Platform and clicking the Entitlements tab.

Step 2: Configure GCP projects for JIT access

Now that GCP is hooked up to ConductorOne, set GCP projects and roles as available for just-in-time access. To do this, we’ll configure access controls for each of the GCP projects.

  1. Navigate to the Applications page, then click the Google Cloud application created in Step 1.

  2. On the Setup tab, in the Entitlement configuration rules section of the page, click Edit.

  3. In the configuration rules pane, click the toggle to Enable configuration rules.

  4. Select the Project resource type.

  5. Use the Catalogs dropdown to select Everyone.

  6. Finally, check the box at the bottom of the screen and click Apply.

The new settings are applied, and a summary of the configuration is shown in the Entitlement configuration rules section of the page.

Don’t worry, you can change who can request access, for how long, and the policy for approving access later.

Step 3: Request JIT access

Let’s go request GCP JIT access!

  1. In the navigation panel, open App directory and click Browse access.

  2. Click Google Cloud Platform. A panel opens with the projects available for you to request.

  3. Click on the project you want to request, then click Request.

  4. Enter the justification and click Request.

Success!

The request policy routes the request through the approval process. The new access will be automatically provisioned by the GCP connector, and then automatically removed upon expiration.