0

I am used to working with Azure, but have recently joined a project running from a set of docker instances in Google Cloud.

I would like to secure the setup in Google Cloud the way I have been used to do it in Azure.

In Azure it is possible to restrict access to the production environment using Azure AD. This can be achieved using Google Cloud Organization Service. So far so good.

Now I want to lock down production even further. I don't want anyone to just have access to production all the time. I would like to only allow this when needed and only for a limited time. This can be achieved in Azure by using Privileged Identity Management (PIM). That way I can allow certain people to self-elevate their privileges for a short period of time... say 4 hours. They also have to justify the self-elevation in text... and I can force two-factor authentication again, even though they are already logged in.

What is the PIM equivalent in Google Cloud? I haven't been able to find it. Can anyone point me to the documentation for a Google Cloud Service that does this?

Jay Pete
  • 4,123
  • 4
  • 35
  • 51
  • 1
    Google Cloud does not have an equivalent feature set or even a similar service. The closest comparable is Service Controls, but this falls short of your objectives. – John Hanley Dec 12 '19 at 02:48
  • Thanks John. I was hoping that wasn't the case. – Jay Pete Dec 12 '19 at 10:28

3 Answers3

2

I am not too familiar with Azure echo-system but from the description I think you are looking for Cloud IAP: https://cloud.google.com/iap/docs/concepts-overview. I am not sure if it offers temporary elevated feature though.

Alternatively, I think if you use Google Cloud Directory Sync you can manage users through Azure Active Directory and use it to authenticate against Google Cloud.

Also, here's a post which explains how you can provide a temporary access to someone by allowing them to impersonate a service account: https://medium.com/wescale/how-to-generate-and-use-temporary-credentials-on-google-cloud-platform-b425ef95a00d

gcloud --impersonate-service-account=admin-impersonated@my-project-id.iam.gserviceaccount.com compute networks create test-net
Parth Mehta
  • 1,869
  • 5
  • 15
2

Today, you can't achieve what you want. It's possible with IAM condition to allow a person to connect with certain condition (device, time, ip,...)

With the same feature, you can also set an expiration date.

Self privilege elevation is not present, yet. You can implement this in a function for example.

  • The user perform a query to the function with its own identity
  • The function allow the "owner" role (for example) to this user with an expiration date.
  • The function is deployed privately and only authenticated and authorized people can reach it.
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
0

Thank you for your posts. I had hoped that it was possible to set up JIT (Just-In-Time) priviledged access in Google Cloud. But at the moment this is not possible.

Jay Pete
  • 4,123
  • 4
  • 35
  • 51