Expose JIT Rest API for CICD integration

[mkarebski]

Hi all,

I recently had some thinking about JIT and GCP. The way it works now, it's great for human developers.

On the other hand, my Cloud Build service account requires plenty of privileges to deploy the application. It's a good idea to activate the permissions only when needed.

Potential objectives would be an exposition of JIT API next to the GUI web application. It would give the users the ability to integrate JIT with their applications.

I will be happy to elaborate more about this subject.

[jpassing]

If I understand you correctly, then the idea is:

• Grant the Cloud Build service account a privileged role and mark it as MPA-eligible.
• In each build, let the Cloud Build service account request approval to activate its privileged role.
• Block the build until at least one peer approves the request.

I agree that it might make makes sense to have such an approval workflow for certain CI/CD jobs, particularly if they touch/deploy senstive resources.

JIT Access has a REST API, but it's currently only intended to be used by its own GUI. But it wouldn't be difficult to expose an "external" API as well.

There might be a few challenges though:

• While the build is blocked (and waits for approval), it consumes build minutes, and that might generate costs. The build might also time out while waiting for approval.
• The build needs to be signalled (and unblocked) somehow once approval is granted. Alternatively, it might have to periodically call testIamPermissions to verify if access has been granted yet.
• APIs differ in how quickly IAM policy changes take effect and for some APIs, it can take up to a minute. So there might be a risk that the build resumes too early, before the granted permissions have fully taken effect.