Johannes Passing

icon indicating a website link https://jpassing.com/

icon company Google icon location Australia icon location Staff Solutions Architect at Google Cloud, Identity and Access solutions

Results 135 comments of Johannes Passing

Configuration of audit logs for JIT application is not working as expected.

Re (1): When you open the **Policy details** page in the Cloud Console, do you see matching logs and any incidents? When I set up an alerting policy for the...

Implement External Approval + Other small features

Thank you for creating this PR and the additional context. I definiteltly see a need for all 3 features and especially the "external approval" is something that has been brought...

Implement External Approval + Other small features

> In our case the recovery email of externals is the correct one, so using that would be a possibility. The regex analysis would still be needed to identify externals...

slack-support

Note that you can also configure JIT Access to [post notifications to a Pub/Sub topic](https://googlecloudplatform.github.io/jit-access/pubsub-notifications/). You could listen to those notifications and relay them to Slack or other systems.

Requirement to specify`IAP_BACKEND_SERVICE_ID` creates a circular dependency

JIT Access completely relies on IAP for authentication and authorization. To verify that (a) IAP is enabled at all and (b) that a request has indeed being vetted by IAP,...

Requirement to specify`IAP_BACKEND_SERVICE_ID` creates a circular dependency

What should work is to... 1. Manually create the backend: ``` gcloud compute backend-services create jitaccess-backend \ --load-balancing-scheme=EXTERNAL \ --global ``` 2. Let the TF module use the existing backend...

Requirement to specify`IAP_BACKEND_SERVICE_ID` creates a circular dependency

Quering the API to determine the backend ID is an interesting idea, and this approach would avoid the potential security risks of accepting all audiences. We could do that lookup...

Requirement to specify`IAP_BACKEND_SERVICE_ID` creates a circular dependency

[Release 1.8.1](https://github.com/GoogleCloudPlatform/jit-access/releases/tag/1.8.1) now lets you control whether JIT Access should [verify the audience of IAP assertions](https://cloud.google.com/iap/docs/signed-headers-howto) by using the [`IAP_VERIFY_AUDIENCE` configuration option](https://googlecloudplatform.github.io/jit-access/configuration-options/#networking), so I'll close this issue.

Feature Request: Ability to run with a URL prefix specified as an environmental variable

I'm a bit torn on this... there's nothing wrong with sharing a load balancer if the other backends are in [different projects](https://cloud.devsite.corp.google.com/load-balancing/docs/https#cross-project). But it's typically not a good idea to...

Possibility to customize application tittle

I agree that this would be useful and it should be pretty straightforward to add a configuration variable for that.