Granting access to VPC service perimeters - GoogleCloudPlatform/jit-groups GitHub Wiki


📝 This Wiki page has moved.

For the latest content, see Access VPC service perimeters on the IAP JIT Access documentation page.

The Just-in-Time Access application uses the Google Cloud Resource Manager 🡥 API to grant access to projects. If a project is part of a VPC service perimeter 🡥 that restricts access to the Google Cloud Resource Manager API, then the application might be unable to grant users access to that project.

To allow Just-in-Time Access to grant users access to projects in a service perimeter, create an ingress policy:

  1. In the Cloud Console, go to VPC Service Controls 🡥 and open the service perimeter.

  2. Click Edit perimeter.

  3. Select Ingress Policy.

  4. Click Add rule and configure the following settings:

    • Source: All sources
    • Identity: the email address of the service account used by the JIT Access application
    • Project: the project to manage access for, or All projects
    • Services: Google Cloud Resource Manager API

  5. Click Save

This ingress policy permits the service account used by the JIT Access application to access the Google Cloud Resource Manager API, and lets the Just-in-Time Access application grant users access to projects in that service perimeter.

Just-In-Time Access is an open-source project and not an officially supported Google product.

⚠️ **GitHub.com Fallback** ⚠️