-
Notifications
You must be signed in to change notification settings - Fork 46
Granting access to VPC service perimeters
|
📝 This Wiki page has moved. For the latest content, see Access VPC service perimeters on the IAP JIT Access documentation page. |
|---|
The Just-in-Time Access application uses the Google Cloud Resource Manager 🡥 API to grant access to projects. If a project is part of a VPC service perimeter 🡥 that restricts access to the Google Cloud Resource Manager API, then the application might be unable to grant users access to that project.
To allow Just-in-Time Access to grant users access to projects in a service perimeter, create an ingress policy:
-
In the Cloud Console, go to VPC Service Controls 🡥 and open the service perimeter.
-
Click Edit perimeter.
-
Select Ingress Policy.
-
Click Add rule and configure the following settings:
- Source: All sources
- Identity: the email address of the service account used by the JIT Access application
- Project: the project to manage access for, or All projects
- Services: Google Cloud Resource Manager API
-
Click Save
This ingress policy permits the service account used by the JIT Access application to access the Google Cloud Resource Manager API, and lets the Just-in-Time Access application grant users access to projects in that service perimeter.
Just-In-Time Access is an open-source project and not an officially supported Google product.
Overview
How-to guides
- Deploy JIT Access 🡥
- Upgrade JIT Access 🡥
- Configure multi party approval
- Configure Pub/Sub notifications
- Switch to a different catalog
- Grant access to VPC service perimeters
Reference
Development