jit-access Multi-party approval Configuration

I have configured Multi-party approval by following steps mentioned in Doc. https://googlecloudplatform.github.io/jit-access/configure-multi-party-approval/

Tried with both Google workspace account and Microsoft 365 however getting error " There are currently no peers that could approve your request"

Any suggestions on this please.

Mar 06 '24 05:03 Rajeshwaric7

When you see the error "There are currently no peers that could approve your request", then the application hasn't reached the point yet where it would try to send an email. So the error can't be caused by an invalid email configuration. (The email configuration might still be invalid, but it would cause an error later).

If you request multi-party approval for a role, say roles/compute.admin, then peers are all other users that have been granted the same role on the same project with the same has({}.multiPartyApprovalConstraint) IAM condition. So the first thing to check would be if there actually is anybody (other than you, the requesting user) who has been granted this role with that condition.

Mar 07 '24 02:03 jpassing

@jpassing , No body have same role with that IAM condition other than me. So I thought peers will be who have JIT role(Approvers) and will be notified to them through email account which we will configure. Please correct me if my understanding is wrong.

Mar 11 '24 08:03 Rajeshwaric7

@jpassing , After adding same IAM condition for other user, the approver option showed up , was able to select the Approver and request for intended role activation.

However my questions are:

If I need to list the approvers list, should they have same IAM role with the condition (has({}.multiPartyApprovalConstraint) ?
How do we configure some notifications to our common Team DL about the activation details for auditing purpose.
I have some 'X' roles already activated , now how do I track for myself which are the roles is still active and what is the time left in the Google cloud console or in JIT application

Mar 12 '24 06:03 Rajeshwaric7

After adding same IAM condition for other user, the approver option showed up , was able to select the Approver and request for intended role activation.

Great!

If I need to list the approvers list, should they have same IAM role with the condition (has({}.multiPartyApprovalConstraint) ?

Yes, only users that have the same role assigned with the has({}.multiPartyApprovalConstraint condition are consdiered "peers" and show up in the list.

How do we configure some notifications to our common Team DL about the activation details for auditing purpose.

It's currently not possible to always include a certain user in the review process. It's something we're looking into though,

I have some 'X' roles already activated , now how do I track for myself which are the roles is still active and what is the time left in the Google cloud console or in JIT application

When you request a role, you can see which roles are active already. The upcoming version will also indicate for how much longer they're active.

Mar 12 '24 21:03 jpassing

Ok thanks for the update.

Mar 13 '24 04:03 Rajeshwaric7

@jpassing , i am seeing errors while approving it for some of the projects.

And also i see even if the same IAM condition is applied, still only one approver is getting listed.

This is how permissions looks at Organization level

Please suggest here.

Mar 13 '24 07:03 Rajeshwaric7

@jpassing , i was able to rectify it At Org level, this how roles and its IAM COndition looks like

But at project level, not all roles gets inherited so even though other roles like billing admin, Project creator etc shows up to activate but peers can’t approve it and gets https 403 error

So is the application is not smart enough to pick only those inherited roles instead lists everything which lead to confusions.

Instead we need to manually apply the roles and its condition at project level which is tedious Job.

Mar 13 '24 10:03 Rajeshwaric7

There are a few predefined roles such as Billing Administrator that...

contain at least one permission that applies to projects, yet
aren't grantable on a project. That is, IAM will reject any attempt to grant such a role on a project.

Because of (1), role bindings for these roles are surfaced by the Asset Inventory API and JIT Access. JIT Access could try to identify and filter out problematic roles -- but it doesn't have enough context information to do that.

Because of (2), trying to request/activate such a role always fails. In practice, that means that these roles can't be used in JIT Access. Fortunately, the number of roles for which that issue applies is quite low.

#88 contains some additional context/details.

Mar 14 '24 03:03 jpassing

Thanks for clarifying.

Mar 14 '24 06:03 Rajeshwaric7

i am planning to roll out this JIt access at Org level to all users. May i get the list of predefined roles where users cant activate it and get that 403 error during approval

As per my testing for the roles like Billing Administrator, Billing Account viewer, Compute shared VPC admin, Project Creator. Jit will not work.

And we have lot of roles assigned at the Org Level as below. testing for each role is tedious job and the error message is not informative to users aswell so it would be great if i get list of role names for which JIT doesn't work.

Apr 22 '24 12:04 Rajeshwaric7

@jpassing , Please help on above ask. Thanks.

Apr 28 '24 10:04 Rajeshwaric7

I'll have to follow up internally to see if there's a reliable way to find all predefined roles that are not grantable on a project.

My initial thought was to take the output of gcloud iam roles list (all roles) and subtract the output of gcloud iam list-grantable-roles (grantable roles). In theory, that should give you the list of non-grantable roles -- but for some reason, gcloud iam list-grantable-roles omits many roles, and I have to follow up why that is.

Apr 29 '24 07:04 jpassing

@jpassing , Any update on this.

Will the JIT works for Custom Role aswell ?

May 09 '24 09:05 Rajeshwaric7

Will the JIT works for Custom Role aswell ?

Yes, you can use custom roles. If you set RESOURCE_SCOPE to the organization, you can use both organization- and project-level custom roles, otherwise you can only use project-level custom roles.

Any update on this.

Yes, I did the analysis and here are all roles that are not grantable on a project:

roles/accessapproval.approver
roles/accesscontextmanager.gcpAccessAdmin
roles/accesscontextmanager.gcpAccessReader
roles/assuredworkloads.admin
roles/assuredworkloads.editor
roles/beyondcorp.partnerServiceDelegateViewer
roles/beyondcorp.subscriptionAdmin
roles/beyondcorp.subscriptionViewer
roles/billing.admin
roles/billing.carbonViewer
roles/billing.costsManager
roles/billing.creator
roles/billing.user
roles/billing.viewer
roles/cloudcontrolspartner.admin
roles/cloudcontrolspartner.editor
roles/cloudcontrolspartner.inspectabilityReader
roles/cloudcontrolspartner.monitoringReader
roles/cloudcontrolspartner.monitoringServiceAgent
roles/cloudcontrolspartner.reader
roles/cloudkms.protectedResourcesViewer
roles/cloudsupport.admin
roles/cloudsupport.viewer
roles/commerceoffercatalog.offersViewer
roles/compute.osLoginExternalUser
roles/compute.xpnAdmin
roles/consumerprocurement.eventsViewer
roles/dlp.orgdriver
roles/gkebackup.delegatedBackupAdmin
roles/gkebackup.delegatedRestoreAdmin
roles/iam.denyAdmin
roles/iam.denyReviewer
roles/iam.organizationRoleAdmin
roles/iam.organizationRoleViewer
roles/iam.workforcePoolAdmin
roles/iam.workforcePoolEditor
roles/iam.workforcePoolViewer
roles/ml.jobOwner
roles/ml.modelOwner
roles/ml.modelUser
roles/ml.operationOwner
roles/orgpolicy.policyAdmin
roles/policyremediatormanager.policyRemediatorAdmin
roles/policyremediatormanager.policyRemediatorReader
roles/privilegedaccessmanager.folderServiceAgent
roles/privilegedaccessmanager.organizationServiceAgent
roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin
roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer
roles/recommender.exporter
roles/resourcemanager.folderAdmin
roles/resourcemanager.folderCreator
roles/resourcemanager.folderEditor
roles/resourcemanager.folderIamAdmin
roles/resourcemanager.folderMover
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.projectCreator
roles/resourcesettings.admin
roles/securedlandingzone.bqdwOrgRemediator
roles/securitycenter.attackPathsViewer
roles/securitycenter.simulationsViewer
roles/securitycenter.valuedResourcesViewer
roles/securityposture.admin
roles/securityposture.postureDeployer
roles/servicemanagement.serviceConsumer
roles/storage.legacyBucketOwner
roles/storage.legacyBucketReader
roles/storage.legacyBucketWriter
roles/storage.legacyObjectOwner
roles/storage.legacyObjectReader
roles/workstations.user

May 10 '24 04:05 jpassing

Thank you

May 15 '24 08:05 Rajeshwaric7

@jpassing ,

I have enabled JIt for all roles at Org level as below and user have activated the role for particular Project. But if user search for ththat project in the CLoud console it doesnt appears(Screenshot 2).

Also since i have enabled JIT for all roles, user is not able to see any projects by default i think so.

(redacted)

May 15 '24 09:05 Rajeshwaric7

For a project to show up in the Cloud Console, you must have the resourcemanager.projects.get permission. That permission could be...

Part of a role that you've been granted permanently on the project (many of the predefined roles include it)
Part of a role that you activated in JIT Access

However, if you don't have any permanent role bindings and also haven't activated any roles in JIT Access yet, then the project shouldn't show up. Could that be what's happening here?

May 15 '24 23:05 jpassing