Automating On-Demand Access Requests for Google Cloud Platform
When following the principle of least privilege, admins grant users just enough access so that they can carry out everyday activities, but can do nothing more. Following this principle helps reduce risk, but it can create friction for users when they need to perform a privileged action.
In these scenarios, granting the appropriate permissions is hard and is especially challenging with Google Cloud Platform (GCP) for several reasons:
- Tasks and functions are not readily mapped out to each permission.
- Admins for specific permissions aren’t automatically labeled.
- There’s no way to incorporate additional context (for instance, how long an engineer needs elevated permissions) in a single ticket.
- GCP does not provide visibility into who has access to which environments or resources out of the box.
Solution 1: DIY from Scratch
A handful of companies have already built internal solutions for requesting access. One such company, Mednition, even published an article about it.
Mednition had a few goals:
- Have fewer standing privileges.
- Speed up time involved in submitting tickets requesting access and gaining approval.
- Fit within its current tech stack.
- Create an audit trail that’s easy to index and search.
- Support compliance requirements for auditing and logging.
Here’s the solution the company created:
“We decided to create a Slackbot that runs within GCP Cloud Run and logs the audit trail to GCP Cloud Logging. We will leverage Google Groups for provisioning access and Cloud Identity as the mechanism for managing temporary membership. Cloud Identity will add and remove the user from the group for us, so we don’t have to manage any state (which is amazing to avoid sync issues and edge cases). This is particularly interesting because now we can provide temporary access to third-party applications if they can map access to Google Groups (outside of our use case but maybe in the future).”
Solution 2: Google’s Open Source Solution
Google’s Just-In-Time Access is an open source application that lets you implement just-in-time privileged access to Google Cloud resources. The application lets administrators, users and auditors do the following tasks:
- Administrators can grant a role to a user or group and make the role eligible by adding the following identity and access management (IAM) condition:
- Users can search for projects and roles that they’re eligible to access by using the Just-In-Time Access application. The following screenshots from the Just-In-Time Access application show a list of roles that a user is eligible for in a project:
They can then activate one or more roles and provide a justification for getting access:
After a user has activated a role, Just-In-Time Access grants the user temporary access to the project.
Auditors can use Cloud Logging to review when and why eligible roles have been activated by users.
To protect the application against unauthorized access, the Just-In-Time Access application can be accessed only over Identity-Aware Proxy (IAP). Using IAP, an administrator can control which users should be allowed to access Just-In-Time Access, and which additional conditions those users must satisfy to get access.
Solution 3: Out-of-the-Box Tools
Free solutions such as Apono provide plug-and-play authorization workflows so companies don’t need to start from scratch. Apono serves as the intermediary that connects identities with entitlements, enabling access on a just-in-time, temporary basis. Apono’s privilege authorization capability provides a reliable and streamlined approach to permission management and mitigates the consequences of a GCP (or any other cloud application) permissions-related breach, without compromising user experience and productivity.
The image below features an access flow that allows developers to get temporary read-only access to production when needed:
Remember that managing access control effectively is a critical aspect of maintaining the security and integrity of your GCP resources. Regularly review and audit your roles and permissions to ensure they align with your evolving requirements.
The Bottom Line
Navigating on-demand access in GCP can be intricate, but with the right tools and strategies, organizations can strike a balance between security and efficiency. Whether you opt for a DIY approach, use Google’s open source solutions or try out-of-the-box tools, the goal remains consistent: to provide secure, streamlined and manageable access to resources.
Apono is a cloud native, centralized self-service access management platform that keeps organizations secure with simple and precise just-in-time permissions across the DevOps domain. Apono takes just minutes to deploy and integrates with your existing cloud services, Kubernetes, data repositories and other R&D applications. With Apono, view existing permissions and enable dynamic contextual access workflows directly from Slack, Teams or CLI.