Configuration

📝 This Wiki page has moved. For the latest content, see Configuration options on the IAP JIT Access documentation page.

You can customize the behavior of the Just-In-Time Access application by editing the env_variables section of the app.yaml configuration file and redeploying the application.

The Just-In-Time Access application supports the following environment variables:

Name	Description	Required	Default	Available since
Basic configuration
`RESOURCE_SCOPE`	The organization, folder, or project that JIT Access can access and manage. The resource scope constrains: The set of projects that you can grant just-in-time access to: For example, if you specify a folder or organization as scope, then you can only grant users just-in-time access to projects within this folder or organization. The IAM policies that JIT Access analyzes to determine eligible access: For example, if you specify a folder as scope, JIT Access analyzes the IAM policies of this folder and all its sub-folders and projects to determine eligible access, but ignores IAM policies inherited from the organization node. The types of custom roles that you can use to grant just-in-time access (as an alternative to predefined roles): If you set the resource scope to a folder or project, then you can use custom roles that have been defined in the respective project. If you set the scope to the entire organization, you can use all custom roles, including custom roles that have been defined at the organization level. You can use one of the following values: `organizations/ORGANIZATION_ID` (all projects) `folders/FOLDER_ID` (projects underneath a specific folder, including nested folders) `projects/PROJECT_ID` (specific project) For ORGANIZATION_ID, FOLDER_ID, or PROJECT_ID, use the ID of the organization, folder, or project that you're using the application with. You must grant the application's service account access to the appropriate node of the resource hierarchy.	Required	Project in which Just-In-Time Access application is deployed	1.0
`RESOURCE_CATALOG`	Approach and API to use for finding eligible role bindings. For more information about catalogs, see Switch to a different catalog.	Required	`PolicyAnalyzer`	1.6
`RESOURCE_CUSTOMER_ID`	Customer ID of your Cloud Identity or Workspace account For more information about how to find this ID, see Find your customer ID.	Required for the `AssetInventory` catalog		1.6
`ACTIVATION_TIMEOUT`, Deprecated: `ELEVATION_DURATION`	Duration (in minutes) for which a role remains activated. The timeout is relative to the time when the user requested access.	Required	`120`	1.0
`JUSTIFICATION_HINT`	Hint that indicates which kind of justification users are expected to provide.	Required	`Bug or case number`	1.0
`JUSTIFICATION_PATTERN`	A regular expression that a justification has to match. For example, if you expect users to provide a ticket number in the form of `CASE-123` as justification, you can use the expression `^CASE-\d+$` to enforce this convention.	Required	`.*`	1.0
`ACTIVATION_REQUEST_MAX_ROLES`	Maximum number of roles that users can activate in a single request.	Required	`10`	1.4.1
`AVAILABLE_PROJECTS_QUERY`	Query to use for project auto-completer. When not configured, the application uses the Policy Analyzer API to determine the list of projects shown in the project auto-completer. The auto-completer only lists projects that the user has eligible access to. When you configure this variable, the application instead performs a search to determine the list of projects. This method is faster, but can lead to unintended information disclosure where users are suggested projects they don't have access to. Set this variable to any query supported by `projects.search`, for example `state:ACTIVE` and grant the service account the Browser role (or an equivalent role that includes the `resourcemanager.projects.get` permission) on relevant projects.	Optional		1.5
Multi-party approval (MPA)
`ACTIVATION_REQUEST_TIMEOUT`	Duration (in minutes) for which an activation request remains valid. Like `ACTIVATION_TIMEOUT`, the timeout is relative to the time when the user requested access. `ACTIVATION_REQUEST_TIMEOUT` therefore must not exceed `ACTIVATION_TIMEOUT`.	Required for MPA	`60`	1.2
`ACTIVATION_REQUEST_MIN_REVIEWERS`	Minimum number of reviewers for approval requests. If you set this to a value larger than `1`, users need to select multiple peers when requesting approval, but obtaining approval from a single reviewer is still sufficient to activate access.	Required for MPA	`1`	1.4
`ACTIVATION_REQUEST_MAX_REVIEWERS`	Maximum number of reviewers for approval requests.	Required for MPA	`10`	1.4
`SMTP_HOST`	SMTP server to use for delivering notifications.	Required for MPA	`smtp.gmail.com`	1.2
`SMTP_PORT`	SMTP port to use for delivering notifications. Notice that port 25 is not allowed.	Required for MPA	`587`	1.2
`SMTP_SENDER_NAME`	Name used as sender name in notifications.	Required for MPA	`JIT Access`	1.2
`SMTP_ENABLE_STARTTLS`	Enable StartTLS (required by most mail servers).	Required for MPA	`true`	1.2
`SMTP_SENDER_ADDRESS`	Email address to use for notifications.	Required for MPA		1.2
`SMTP_USERNAME`	Username for SMTP authentication (optional, only required if your SMTP requires authentication).	Optional		1.2
`SMTP_PASSWORD`	Password for SMTP authentication (optional, only required if your SMTP requires authentication). If you're using Gmail to deliver emails, this must be an app password.	Optional		1.2
`SMTP_SECRET`	Path to a Secrets Manager secret that contains the password for SMTP authentication. You can use this option as an alternative to `SMTP_PASSWORD`. The path must be in the format `projects/PROJECTID/secrets/ SECRETID/versions/latest`. If you're using Gmail to deliver emails, this must be an app password.	Optional		1.4
`SMTP_OPTIONS`	Comma-separated list of additional JavaMail options for delivering email. For example: `mail.smtp.connectiontimeout=60000, mail.smtp.writetimeout=30000` For most mail servers, no additional options are required.	Optional		1.2
Notification settings
`NOTIFICATION_TIMEZONE`	Timezone to use for dates in notification emails. The value must be a valid identifier from the IANA Time Zone Database (TZDB), for example `Australia/Melbourne` or `Europe/Berlin`.	Required for MPA	UTC	1.2
`NOTIFICATION_TOPIC`	Name of a Pub/Sub topic to post notifications to, for example `jitaccess-events`. When you configure this variable, JIT Access posts a notification message to the Pub/Sub topic whenever a user self-activates a role, requests MPA-approval for a role, or is granted MPA-approval. Other applications can consume these messages to implement additional logic, such as posting to chat rooms or triggering additional workflows. When you don't configure this variable, JIT Access doesn't post any Pub/Sub messages. The topic must be in the same project as the application.	Optional		1.5
Backend HTTP settings (MPA)
`BACKEND_CONNECT_TIMEOUT`	Connection timeout for Google API requests, in seconds.	Optional	`5`	1.5
`BACKEND_READ_TIMEOUT`	Read timeout for Google API requests, in seconds.	Optional	`20`	1.5
`BACKEND_WRITE_TIMEOUT`	Write timeout for Google API requests, in seconds.	Optional	`5`	1.5

Just-In-Time Access is an open-source project and not an officially supported Google product.

Overview

How-to guides

Reference

Configuration

Development

Set up a development environment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configuration

Clone this wiki locally