Just-in-time (JIT) access is a security best practice that grants users access to resources only when they require them and for a limited amount of time. JIT access helps minimize data breaches and unauthorized cloud resource use, effectively providing users with the permissions they need when needed—as opposed to conventional static access models, which offer access without any time limitation.
JIT access can help significantly decrease Google Cloud Platform’s attack surface by issuing permissions as needed, thus limiting entry points and the potential for unauthorized access. Users operate with only as much privilege as is necessary for their roles. This reduces the risks of accidental data exposure or system misuse and keeps accounts secure by restricting an attacker’s scope and duration of access. GCP also supports port-level access control via JIT access, allowing for fine-grained control over network ports or services on virtual machines.
JIT access introduces an automated or routed approval system where users must request access when needed and approvals can be automated or routed through the appropriate channels. Not only can JIT access increase security, but it can also help organizations maintain more visibility and control over access requests. JIT access solutions usually feature comprehensive auditing features that monitor all access activities and create an audit trail of when resources were accessed and by whom. In the unfortunate event of a security incident, JIT access simplifies the incident response process. Access revocation can be triggered immediately, limiting potential damage by cutting off unauthorized access. This rapid response capability is critical to containing and mitigating security breaches.
In this article, you’ll learn how to implement JIT access in Google Cloud Platform.
How to Implement Just-in-Time Access in Google Cloud Platform
Follow the step-by-step instructions below to implement JIT access in GCP.
Enabling Required APIs in Your GCP Project for the JIT Access App
Before using the JIT Access app for GCP, you’ll need to enable the following APIs for it:
• Identity-Aware Proxy (IAP)
These APIs are required to manage resources, authenticate users, store container images, and build and deploy applications in GCP.
Go to the APIs & Services > Enabled APIs & services page in the GCP console:
Click ENABLE APIS AND SERVICES:
In the search bar, enter the name of the API you want to enable (for example, “Cloud Asset Inventory”):
Select the name of the API, then click the ENABLE button on the details page to enable the API:
Once you’ve enabled all the required APIs, you can deploy the JIT Access app.
Creating a Service Account for the JIT Access App
Before creating a service account, you’ll need to create a new project if you don’t already have one.
Click the drop-down menu in the top left and select NEW PROJECT:
Enter a project name and click CREATE:
Open Google Cloud Shell and set the environment variable for your project. Run the following command, replacing “newdemo-382919” below with your project name if you used a different name:
gcloud config set
project newdemo-382919
Click AUTHORIZE on the resulting pop-up window:
You’ll need a service account for your application. Run the following command to create one named “Just-In-Time Access”:
SERVICE\_ACCOUNT=$(gcloud iam service-accounts create jitaccess
\--display-name “Just-In-Time Access” --format “value(email)”)
Allowing the JIT Access App to Manage IAM Bindings
Run the following command in Cloud Shell to provide the relevant permissions for the JIT Access app to manage IAM bindings:
SCOPE\_TYPE=projects
gcloud projects add-iam-policy-binding $SCOPE\_ID \\
\--member “serviceAccount:$SERVICE\_ACCOUNT” \\
\--role “roles/iam.securityAdmin” \\
\--condition None
gcloud projects add-iam-policy-binding $SCOPE\_ID \\
\--member “serviceAccount:$SERVICE\_ACCOUNT” \\
\--role “roles/cloudasset.viewer” \\
\--condition None
This provides the necessary access and assigns both Security Admin (roles/iam.securityAdmin) and Cloud Asset Viewer (roles/cloudasset.viewer) roles to the relevant section of your resource hierarchy:
Once you’ve completed the above step, you will have successfully granted the JIT Access application permission to manage IAM bindings in Cloud Shell.
To verify this, navigate to the IAM & Admin page in the GCP console and click Service Accounts. You can see that the “Just-In-Time Access” service account has been created and enabled:
Allowing the JIT Access App to Resolve Group Memberships
You next need to give the app access to group memberships for the service account.
Start by signing in with a super admin user account in the Google Admin console.
In the Admin console, expand the Account drop-down menu and click Admin roles.
Then, under the Groups Reader role, click Assign admin:
Select Assign service accounts:
Enter “jitaccess@newdemo-382919.iam.gserviceaccount.com”, replacing “newdemo-382919” with your project name, then click ADD, followed by ASSIGN ROLE:
Once you have completed these steps, the application will have access to resolve the group memberships of the users in the group.
Deploying the JIT Access App to App Engine
You’ll now deploy the JIT Access application on App Engine.
First, open Cloud Shell and create an App Engine application. Choose the region closest to your physical location, then use the “gcloud app create” command:
gcloud app create --region asia-south1
Clone the JIT access GitHub repository in Cloud Shell and “checkout” to the most recent branch:
git clone https://github.com/GoogleCloudPlatform/jit-access.git
cd jit-access/sources
git checkout latest
You’ll also need a configuration file for the JIT Access app:
cat << EOF > app.yaml
runtime: java17
instance\_class: F2
service\_account: $SERVICE\_ACCOUNT
env\_variables:
RESOURCE\_SCOPE: $SCOPE\_TYPE/$SCOPE\_ID
ELEVATION\_DURATION: 60
JUSTIFICATION\_HINT: “Bug or case number”
JUSTIFICATION\_PATTERN: “.\*”
EOF
gcloud app
Finally, use the following command to deploy the application:
gcloud app deploy --appyaml app.yaml
In the above screenshot, you can see the public URL that the service is deployed to. In this case, it’s “https://newdemo-382919.el.r.appspot.com,” but your URL will reflect your specific project name. This tutorial uses the default settings for the automatically configured load balancer, but you can adjust them to your liking.
Configuring Identity-Aware Proxy (IAP)
You next have to configure IAP for the JIT Access app to improve security, access management, and compliance. First, use the following code to set up an OAuth consent screen:
gcloud iap oauth-brands create \\
\--application\_title “Just-In-Time Access” \\
\--support\_email=$(gcloud config get core/account)
Then, in the GCP console, first navigate to Security and then Identity-Aware Proxy.
Enable the IAP toggle under the APPLICATIONS tab:
You now have to specify which users can access your JIT Access app. You can give access permission to individuals, groups, or entire domains.
Back in the console, navigate to IAM & Admin section, and, under IAM, click GRANT ACCESS. Then, select users, groups, or domains in the list of principals by clicking the checkbox to the left of each item:
Expand IAP-secured Web App User in the list of roles and select the appropriate user by clicking the checkbox to its left:
Click SAVE:
Testing JIT Access
You’ll now test the process by granting eligible access and activating it using the JIT Access app.
As before, click GRANT ACCESS on the IAM page in the GCP console. You’ll be prompted to enter an email address. Use your Google Workspace user or a second cloud identity, and expand the drop-down menu labeled Select a role to select Project > Browser:
Then, click ADD IAM CONDITION, enter an email ID in the New principal input field, and under Role, choose Browser.
Add a descriptive title for the condition, such as “Eligible for JIT access.” Next, click CONDITION EDITOR and enter the CEL expression below:
has(\{\}.jitAccessConstraint)
Click SAVE. Based on this condition you just added, eligible access will be granted for the JIT Access application.
Requesting JIT Access Using the JIT Access App
You can now try changing to a different user and requesting temporary access to a resource.
Go to your JIT Access app’s URL in an incognito browser window. If you didn’t take note of it before, simply replace “newdemo-382919” with your project name in “https://newdemo-382919.el.r.appspot.com.”
Sign in with the user that you just granted the access to:
Select a role for which you want to activate access in the JIT Access application:
Provide a justification and click Request access:
Return to your browser window where the administrative user is logged in and review the log.
Go to Logs Explorer in the Logging section of your GCP console and enable the Show query option. Then, enter the query below:
labels.event=”api.activateRole”
Clicking Run query should produce an output similar to the following:
{
```json
\{
“textPayload”: “User test123@gmail.
com activated role ‘ROLE’ on ‘//
cloudresourcemanager.googleapis.com/projects/
newdemo-382919’ for themselves”,
“severity”: “INFO”,
“labels”: \{
“resource”: “//cloudresourcemanager.
googleapis.com/projects/newdemo-382919”,
“event”: “api.activateRole”,
“role”: “ROLE”,
“clone\_id”: “00d8...”,
“user”: “test123@gmail.com”,
“justification”: “testing”,
\},
\}
\}
You can see that there’s now a log record for the activated role.
You’ve now successfully set up and tested JIT access in Google Cloud Platform.
Tips to Optimize Access Security in GCP
Configuring JIT access is just one part of ensuring access security in GCP. Below are some general tips for enhancing access security in GCP.
Implement Multifactor Authentication
Enabling multifactor authentication (MFA) adds another level of protection for user accounts in GCP by requiring users to supply two or more authentication factors, such as a password and a time-based, one-time password generated on the user’s mobile phone. MFA significantly lowers the risk of unauthorized access, even when login credentials become compromised.
Use an Identity and Access Management Solution
Identity and access management solutions provide robust features to simplify user access, roles, and permissions in GCP. ConductorOne, for instance, guarantees enhanced security for GCP with minimal effort on your end. Its centralized control, audit trails, and automation features effectively uphold access security.
Enable Audit Logging and Monitoring to Track and Detect Suspicious Activities
GCP offers comprehensive audit logging and monitoring capabilities. By activating these features, you can quickly observe user activities, API usage, system events, and any suspicious activity, allowing you to quickly respond to threats.
Utilize Service Accounts and the Principle of Least Privilege
By allocating permissions using service accounts and adhering to the principle of least privilege, users and applications will only have the permissions necessary for performing their tasks, which reduces accidental data exposure or misuse of resources.
Implement VPC Service Controls to Secure Data within GCP Services
VPC Service Controls provide an additional layer of security by allowing you to define security perimeters for specific Google Cloud services. This helps prevent data exfiltration and unauthorized access to resources.
Use Cloud Identity-Aware Proxy (IAP) for Fine-Grained Access Control to Applications
IAP provides context-aware access control for web applications running on GCP. You learned how to configure IAP earlier in this article. Users are granted access based on their identity and context, providing increased security without needing VPNs or complex firewall rules.
Implement Strong and Regularly Rotated Encryption Keys for Data Protection
Data encryption is vital for access security. Implement strong encryption keys and regularly rotate them to protect data during transit and at rest. You can rotate your keys manually or set up a schedule using GCP’s Cloud Key Management service.
Follow Security Best Practices for Virtual Machine Instances, Containers, and Serverless Functions
GCP compute resources require their own set of security considerations to prevent vulnerabilities from emerging and secure access. GCP has some recommended best practices for protecting virtual machines, containers, and serverless functions to minimize vulnerabilities while safeguarding access.
Regularly Review and Update Access Permissions
Security should be an ongoing process, and access permissions should be regularly evaluated and updated. Remove unnecessary permissions, make sure roles reflect job responsibilities, and ensure your security policies align with evolving organizational needs and best practices.
Conclusion
You now know how to implement JIT access in GCP. JIT access within the Google Cloud Platform represents an exciting paradigm shift in cloud security. By only granting access when needed and following the principle of least privilege, this approach significantly enhances organizations operating within the platform’s security posture—not simply protecting access but securing it intelligently.
ConductorOne plays an essential part in access control by helping to implement security best practices. For instance, ConductorOne allows you to implement JIT access for GCP resources, enforce the least privilege principle for users with GCP accounts, and implement risk-based authentication for these accounts. These practices can help reduce the risks of data breaches or unauthorized access to GCP resources.
