Skip to content

Add GCP IAM Conditions evidence gates#1728

Open
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/gcp-iam-conditions-evidence-gates
Open

Add GCP IAM Conditions evidence gates#1728
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/gcp-iam-conditions-evidence-gates

Conversation

@yanziwei

@yanziwei yanziwei commented Jun 8, 2026

Copy link
Copy Markdown

Skill Improvement ($50-150 Bounty)

Skill

  • gcp-review
  • Files changed:
    • skills/cloud/gcp-review/SKILL.md
    • skills/cloud/gcp-review/benchmark-checklist.md

What Was Wrong

The GCP review skill covered IAM service account keys, admin privileges, service account role assignments, KMS access, API keys, and public grants, but it did not require evidence that temporary, scoped, emergency, contractor, or partner access is actually enforced with IAM Conditions or a JIT mechanism. Reviewers could accept comments, ticket due dates, or manual reminders as proof of temporary access even when the IAM binding itself was permanent.

It also did not warn that IAM Conditions do not apply to legacy basic roles or public principals, which can lead to false risk reduction claims for roles/owner, roles/editor, roles/viewer, allUsers, or allAuthenticatedUsers grants.

What This PR Fixes

  • Bumps gcp-review to version 1.0.1.
  • Adds IAM Conditions and Time-Bound Access Evidence to the main workflow.
  • Requires conditional bindings to include explicit CEL expression, title, and description.
  • Requires temporary access to have enforceable request.time < timestamp(...) expiry.
  • Requires scoped access to use resource attributes, tags, Access Context attributes, or service-specific scope where supported.
  • Adds unsupported binding detection for legacy basic roles and public principals.
  • Adds break-glass governance and drift/expiry monitoring evidence requirements.
  • Adds an IAM Conditions output matrix.
  • Adds Terraform and live gcloud ... get-iam-policy examples to the benchmark checklist.
  • Adds Google Cloud IAM Conditions and temporary access references.

Test Cases / Validation

  • git diff --check passed.
  • Markdown code fence balance passed:
    • SKILL.md fences: 4, balanced.
    • benchmark-checklist.md fences: 106, balanced.
  • Required marker checks passed for:
    • version: "1.0.1"
    • IAM Conditions and Time-Bound Access Evidence
    • request.time < timestamp
    • Unsupported Basic/Public Grant
    • roles/owner
    • allAuthenticatedUsers
    • configuring-temporary-access
    • Conditional and Time-Bound Role Bindings

Bounty Tier

Moderate improver bounty requested: $100.

Closes #1727

@yanziwei yanziwei mentioned this pull request Jun 8, 2026
Open
@DENGXUELIN DENGXUELIN mentioned this pull request Jun 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] gcp-review: add IAM Conditions and time-bound access evidence gates

1 participant

@yanziwei