This project is a CLI that allows employees to request Just-in-time access to GCP resources for a limited time using the Google Privileged Access Manager.
It's composed of two main components:
- A CLI that allows the user to request access to a GCP project
- A Slack integration that allows the designated approver to be notified and give permission to the user
go install github.com/felixgborrego/gpc-pam-jit/cmd/gcp-jit@latest
- List the available entitlements:
gcp-jit entitlements --project prj-xxx-33333Example output:
Your current GCP user has the following entitlements for the project prj-xxx-33333 and location global:
🛡️ Entitlement: database-access (1h0m0s)
Granted Roles: roles/alloydb.admin
No manual approval required
🛡️ Entitlement: gke-access (1h0m0s)
Granted Roles: roles/gkehub.connect, roles/container.developer
Approval required by: user:felix@test.com
🛡️ Entitlement: test-2 (1h0m0s)
Granted Roles: roles/appengine.appAdmin
Approval required by: user:felix@test.com
- Request Just-in-Time access:
gcp-jit request database-access \
--project prj-xxx-33333 \
--justification "I need to run a basic query on the prod database"- Configure Slack integration:
gcp-jit config slack --token xxxxxxx --channel test1# Run locally for development
go run .
# Build
go build -o bin/gcp-jit github.com/felixgborrego/gpc-pam-jit/cmd/gcp-jit