prel

This repository is in the experimental stage.

Non-backward compatible changes may be made frequently.

prel(iminary) is an application that temporarily assigns Google Cloud IAM Roles and includes an approval process.

It is inspired by Qray from merpay.

Table Of Contents

• Request Sequence
• Getting Started
• How to use
  • 1. Sign in by Google Account as Requester
  • 2. Send Request as Requester
  • 3. Judge the Request as Judger
  • 4. Invite new user as Requester
  • 5. Approve Request as Judger
  • 6. Check Google Cloud IAM setting
• How to Deploy
• prel Details
  • User Roles
  • User Management
    • Invitation
    • User Available
• Running the tests
• Contributing
• Versioning
• License
• FAQ
  • Why don't basic roles appear in the role list?
  • Why are some expected roles not listed?
  • What should be stored in the secret manager?
  • I can't sign-in locally due to a Invalid Argument error

Request Sequence

sequenceDiagram
actor Requester
actor Judger
participant PreliminarySystem as prel
participant NotificationSystem as Slack
participant CloudService as Google Cloud
    Requester ->> PreliminarySystem: Submit Request
    PreliminarySystem ->> NotificationSystem: Send Notification
    Judger ->> PreliminarySystem: Approve Request
    PreliminarySystem ->> CloudService: Assign IAM Roles to Requester
    PreliminarySystem ->> NotificationSystem: Send Notification
    Requester ->> CloudService: Access with New Permissions

Getting Started

• start manual

How to use

Caution

image is not latest.

1. Sign in by Google Account as Requester

Log in with your Google Account.

This user will be referred to as the requester. If login fails, review the OAuth consent settings.

After logging in, a request form will appear.

2. Send Request as Requester

Select the Project ID, and a list of available Roles for that project will appear.

Please select the necessary Roles (multiple selections possible).

Set the Period to 1h for subsequent work.(If the time is too short, the request will expire)

Once finished, press the Request button. You will then be redirected to the Pending page.

At this time, a notification is sent to Slack.

3. Judge the Request as Judger

Sign in to http://localhost:8181 with a different browser (not sharing the session).

This user will be referred to as the judger.

A Not Invited error will appear.

In this app, an invitation is mandatory for all users after the first registered user.

4. Invite new user as Requester

Now, return to the requester's screen and access http://localhost:8181/admin/user.

An invitation input area will be at the top right, where you should enter the judger's email address.

At this point, set the permission to judger and then press the Invite button.

5. Approve Request as Judger

Then, re-login as the judger and access http://localhost:8181/request.

You will see options to Approve / Reject. Let's try Approving.

6. Check Google Cloud IAM setting

If you have the correct Google Cloud permissions, IAM will be updated with time condition.

and a notification will be sent to Slack.

How to Deploy

• deploy manual

prel Details

User Roles

role \ action	request	judge(approve/reject)	delete own request (only pending status)	delete others request (only pending status)	judge own request
requester	⭕️	-	⭕️	-	-
judger	⭕️	⭕️	⭕️	-	-
admin	⭕️	⭕️	⭕️	⭕️	-

user invitation can only admin role.

User Management

Invitation

The first user to sign-in becomes an Admin Role, and thereafter, an invitation is required for participation.

The email address of the Google Account is needed for the invitation. Please note that no notifications, such as email, are sent; after inviting, the administrator should inform the invitee.

Regular expressions, Google Groups, service accounts, or other non-user principals are not supported.

The invitation is valid for 7 days. If this period is exceeded, the invitation becomes invalid and must be re-invited.

---

User Available

This setting enables or disables users. Disabled users cannot sign-in or perform any operations.

Re-enabling allows them to operate again.

Running the tests

make test

prel has following tests.

• unit test
• integration test
• e2e test

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

Versioning

We use SemVer for versioning.

For the versions available, see the tags on this repository.

License

Released under MIT by @lirlia.

FAQ

Why don't basic roles appear in the role list?

In Google Cloud, Role Binding using IAM Conditions for basic roles is not permitted, so they are not displayed.

Why are some expected roles not listed?

This could be due to any of the following reasons:

• The role is not appearing because the API in Google Cloud is not enabled (for example, if the Spanner API is disabled, Spanner Roles will not be displayed).
• The role is not among the grantable roles in the target project.
• The role name partially matches [sS]erviceAgent (these roles are only assignable to service accounts and are therefore not displayed).

What should be stored in the secret manager?

• client secret
• notification url

I can't sign-in locally due to a Invalid Argument error

This is likely due to a discrepancy caused by deleting the database while the browser still retains cookies.

Please delete the cookies for this app.