{"id":26555853,"url":"https://github.com/GoogleCloudPlatform/jit-groups","last_synced_at":"2025-03-22T11:02:41.677Z","repository":{"id":37889982,"uuid":"454281760","full_name":"GoogleCloudPlatform/jit-groups","owner":"GoogleCloudPlatform","description":"JIT Groups is an open source application that lets you implement secure, self-service access management for Google Cloud using groups.","archived":false,"fork":false,"pushed_at":"2024-12-13T15:13:21.000Z","size":9642,"stargazers_count":243,"open_issues_count":21,"forks_count":45,"subscribers_count":18,"default_branch":"master","last_synced_at":"2024-12-18T08:41:01.105Z","etag":null,"topics":["gcp","google-cloud","iam","privileged-access-management","security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoogleCloudPlatform.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-01T06:16:00.000Z","updated_at":"2024-12-12T12:31:05.000Z","dependencies_parsed_at":"2024-01-08T02:56:26.245Z","dependency_job_id":"bed9f25c-f96d-4398-92d6-1f0f79b6ac3a","html_url":"https://github.com/GoogleCloudPlatform/jit-groups","commit_stats":null,"previous_names":["googlecloudplatform/jit-groups","googlecloudplatform/jit-access"],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fjit-groups","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fjit-groups/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fjit-groups/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fjit-groups/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoogleCloudPlatform","download_url":"https://codeload.github.com/GoogleCloudPlatform/jit-groups/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244498543,"owners_count":20462345,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcp","google-cloud","iam","privileged-access-management","security"],"created_at":"2025-03-22T11:01:33.977Z","updated_at":"2025-03-22T11:02:41.646Z","avatar_url":"https://github.com/GoogleCloudPlatform.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"# JIT Groups\n\n\nJIT Groups is an open source application that lets you implement secure, self-service\naccess management for Google Cloud using groups.\n\n[\u003cimg src=\"doc/documentation.png\"\u003e](https://googlecloudplatform.github.io/jit-groups/)\n\n\u003e [!NOTE]\n\u003e JIT Groups supersedes the [JIT Access](https://googlecloudplatform.github.io/jit-groups/jitaccess-overview/) project, which has largely outlived its purpose as\n\u003e privileged access management\n\u003e [is now available as a platform feature in Google Cloud](https://cloud.google.com/iam/docs/pam-overview).\n\u003e \n\u003e JIT Groups addresses an adjacent, but different use case -- self-service\n\u003e access management, or _entitlement management_, for all types of Google Cloud access, not only privileged access. \n\u003e If you're currently using JIT Access, you can continue to do so. But we encourage you to consider \n\u003e [upgrading to JIT Groups](https://googlecloudplatform.github.io/jit-groups/jitaccess-upgrade/) or migrating to PAM.\n\n\n## Bundle access by job function\n\n**As a user**, you often need a combination of IAM roles to perform a certain job function or role,\nand you might also need access to more than a single project.\n\n**As an administrator**, you can use JIT Groups to create _access bundles_ -- groups that combine all\naccess required to perform a certain job function or role -- and let the application automate the\nprocess of creating the groups and provisioning the necessary IAM policies.\n\n## Let users discover groups and access\n\n\u003ca href='https://googlecloudplatform.github.io/jit-groups/images/jitgroups-discover.png'\u003e\n  \u003cimg alt='Discover groups' src='https://googlecloudplatform.github.io/jit-groups/images/jitgroups-discover-350.png' align='right'\u003e\n\u003c/a\u003e\n\n**As a user**, you can browse and discover available groups in a self-service fashion.\n\n**As an administrator**, you can control which groups users are allowed to discover and join,\nand which conditions they need to meet to join individual groups.\n\n\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e\n\u003cimg src='https://googlecloudplatform.github.io/jit-groups/images/pix.gif' style='width: 100%; height: 1px'\u003e\n\n## Let users activate time-bound access\n\n\u003ca href='https://googlecloudplatform.github.io/jit-groups/images/jitgroups-groupdetails.png'\u003e\n  \u003cimg alt='Request form' src='https://googlecloudplatform.github.io/jit-groups/images/jitgroups-groupdetails-300.png' align='right'\u003e\n\u003c/a\u003e\n\n**As a user**, you can join a group to obtain time-bound access to Google Cloud resources.\n\n**As an administrator**, you can decide whether users need approval to join a group, or whether they're\nallowed to join without approval. You can also control the time period for which access is granted, and which\nadditional constraints users need to satisfy.\n\n\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e\n\u003cimg src='https://googlecloudplatform.github.io/jit-groups/images/pix.gif' style='width: 100%; height: 1px'\u003e\n\n## Use GitOps to manage groups and policies\n\n\u003ca href='https://googlecloudplatform.github.io/jit-groups/images/process.svg'\u003e\n  \u003cimg alt='DevOps Process' src='https://googlecloudplatform.github.io/jit-groups/images/process-450.png' align='right'\u003e\n\u003c/a\u003e\n\n**As an administrator**, you manage groups and their settings using [policy documents](https://googlecloudplatform.github.io/jit-groups/policy-reference/),\nwhich are YAML documents.\n\nYou can use a GitOps workflow to manage and deploy these policy documents, similar to how\nyou manage your infrastructure as code.\n\n**As a user**, you can use the JIT Groups web interface to discover and join groups, and to approve\nother user's join requests -- no code or Git knowledge required.\n\n\u003cimg src='https://googlecloudplatform.github.io/jit-groups/images/pix.gif' style='width: 100%; height: 1px'\u003e\n\n## Secure your groups\n\nJIT Groups uses Cloud Identity [security groups](https://support.google.com/a/answer/10607394) and\n[adjusts their settings](https://support.google.com/groups/answer/2464926?hl=en#advanced)\nto make them safe for use in Cloud IAM allow policies, deny policies, and permission access boundaries.\n\nUsing security groups is a step up from using _discussion forum_ groups, which provisioning tools such as\nEntra ID and Okta typically use. While discussion forum groups are suitable for managing _organizational groups_,\nthey provide fewer security safeguards than security groups and are therefore not well-suited for managing access to\nresources.\n\n## Separate organizational groups and access groups\n\nJIT Groups can help you separate organizational groups and access groups:\n\n+   **Organizational groups** are groups that model the organizational structure, and they're often based on\n    departments, teams, or reporting structures. You can continue to manage these groups using Entra ID, Okta,\n    or an HRIS and provision them to Cloud Identity.\n\n\u003ca href='https://googlecloudplatform.github.io/jit-groups/images/group-structure.svg'\u003e\n  \u003cimg alt='Group structure' src='https://googlecloudplatform.github.io/jit-groups/images/group-structure-450.png' align='right'\u003e\n\u003c/a\u003e\n\n+   **Access groups** are groups that model job functions or roles, and they're used to control access to\n    resources.\n\n    You can let JIT Groups manage these groups, and control which users and organizational groups\n    are allowed to join them.\n\n## Audit group membership\n\n**As an administrator or auditor**, you can use Cloud Logging to review the JIT Groups audit log. The audit log tracks all events\nrelated to users joining groups or approving membership requests and contains detailed information about:\n\n* the user's identity\n* the affected group\n* the information provided by the user, such as a justification or ticket number\n* the user's device, including satisfied [access levels](https://cloud.google.com/access-context-manager/docs/manage-access-levels)\n\n## Deploy on App Engine or Cloud Run\n\nJIT Groups is a Java application and runs on App Engine (standard) and Cloud Run. The application\nis stateless and uses [Identity-Aware-Proxy](https://cloud.google.com/iap/docs/concepts-overview)\nfor authentication and authorization, and the [Cloud Identity API](https://cloud.google.com/identity/docs/reference/rest) and\n[IAM API](https://cloud.google.com/iam/docs/reference/rest) to manage groups and access.\n\nFor detailed instructions on deploying Just-In-Time Access, see [Deploy JIT Groups](https://googlecloudplatform.github.io/jit-groups/jitgroups-deploy/).\n\n--- \n\n_Just-In-Time Access is an open-source project and not an officially supported Google product._\n\n_All files in this repository are under the\n[Apache License, Version 2.0](LICENSE.txt) unless noted otherwise._\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGoogleCloudPlatform%2Fjit-groups","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FGoogleCloudPlatform%2Fjit-groups","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGoogleCloudPlatform%2Fjit-groups/lists"}