How to generate temporary high privilege for admin action and automatic revoke after modify
IAM condition is part of that
Is there something different to do ?
Solved! Go to Solution.
The short answer is:
-----------------------------
No -- not possible
Long answer #1 is:
-------------------------
If you're in an org, then you'd presumably already have an Owner and as well as a Super Admin or Org Admin that can act as your breakglass account. Likely you'll have to contact one of those people that hold said accounts.
Long answer #2 is:
------------------------------
No, it's not possible via GCP alone. You would have to leverage a product such as HashiCorp Vault and their GCP Secrets Engine which you can setup something in advance (permissions/roles + TTL on the perms) and if you ever need that breakglass account, then certain people with the Vault access and hit up the secrets engine endpoint and get a key to a short-lived account with the perms that you previously set and that Vault will terminate after some TTL time (i.e. 3600 sec). Vault would keep an audit trail of who accessed the endpoint to request a key so that should have you covered if you need anything from an auditing point of view.
EDIT: grammar & spelling
A very late response for people finding this through a search engine. There is new documentation in the GCP Architecture Center describing a solution for just-in-time privileged access to projects which might be helpful: https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project
The short answer is:
-----------------------------
No -- not possible
Long answer #1 is:
-------------------------
If you're in an org, then you'd presumably already have an Owner and as well as a Super Admin or Org Admin that can act as your breakglass account. Likely you'll have to contact one of those people that hold said accounts.
Long answer #2 is:
------------------------------
No, it's not possible via GCP alone. You would have to leverage a product such as HashiCorp Vault and their GCP Secrets Engine which you can setup something in advance (permissions/roles + TTL on the perms) and if you ever need that breakglass account, then certain people with the Vault access and hit up the secrets engine endpoint and get a key to a short-lived account with the perms that you previously set and that Vault will terminate after some TTL time (i.e. 3600 sec). Vault would keep an audit trail of who accessed the endpoint to request a key so that should have you covered if you need anything from an auditing point of view.
EDIT: grammar & spelling
With regard to using vault: vault currently supports only service account/sa token/keyfile creation (unlike the AWS secret engine, which also supports temporary user creation). As "When you use the Google Cloud console, you always authenticate with your user credentials; you can't impersonate a service account to access resources in the Google Cloud console." (https://cloud.google.com/iam/docs/service-account-impersonation#impersonation-overview) with creds generated by vault, you'll have to use the cli/API and you'll not be able to use the web console.
So if you need a break glass solution with GUI access:
- you can have a dedicated break glass user, to which some org owner gives you access (aka hands out creds to you)
- or rather the org admin can grant your regular user temporarily roles (ie via the GUI), which will automatically be revoked after expiration time
A very late response for people finding this through a search engine. There is new documentation in the GCP Architecture Center describing a solution for just-in-time privileged access to projects which might be helpful: https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project
Google just release Privilged Access Manager which might be a better fit: https://cloud.google.com/iam/docs/pam-overview
LinkedIn
Twitter
