https://github.com/lirlia/prel
prel(iminary) is an application that temporarily assigns Google Cloud IAM Roles and includes an approval process.
https://github.com/lirlia/prel
google-cloud governance-operations iam-role oss security-tools workflow
Last synced: about 2 months ago
JSON representation
prel(iminary) is an application that temporarily assigns Google Cloud IAM Roles and includes an approval process.
- Host: GitHub
- URL: https://github.com/lirlia/prel
- Owner: lirlia
- License: mit
- Created: 2023-12-27T01:30:44.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2026-01-18T22:55:13.000Z (2 months ago)
- Last Synced: 2026-01-19T08:23:26.149Z (2 months ago)
- Topics: google-cloud, governance-operations, iam-role, oss, security-tools, workflow
- Language: Go
- Homepage:
- Size: 1.66 MB
- Stars: 45
- Watchers: 1
- Forks: 0
- Open Issues: 10
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
prel
[](https://github.com/lirlia/prel/actions?query=workflow:"test+wrapper")
[](https://github.com/lirlia/prel/releases/)
[](#license)
**This repository is in the experimental stage.**
**Non-backward compatible changes may be made frequently.**
**prel**(iminary) is an application that temporarily assigns Google Cloud IAM Roles and includes an approval process.
It is inspired by [Qray](https://engineering.mercari.com/blog/entry/sre-qray/) from merpay.
**Table Of Contents**
- [Request Sequence](#request-sequence)
- [Getting Started](#getting-started)
- [How to use](#how-to-use)
- [1. Sign in by Google Account as `Requester`](#1-sign-in-by-google-account-as-requester)
- [2. Send Request as `Requester`](#2-send-request-as-requester)
- [3. Judge the Request as `Judger`](#3-judge-the-request-as-judger)
- [4. Invite new user as `Requester`](#4-invite-new-user-as-requester)
- [5. Approve Request as `Judger`](#5-approve-request-as-judger)
- [6. Check Google Cloud IAM setting](#6-check-google-cloud-iam-setting)
- [How to Deploy](#how-to-deploy)
- [`prel` Details](#prel-details)
- [User Roles](#user-roles)
- [User Management](#user-management)
- [Invitation](#invitation)
- [User Available](#user-available)
- [Running the tests](#running-the-tests)
- [Contributing](#contributing)
- [Versioning](#versioning)
- [License](#license)
- [FAQ](#faq)
- [Why don't basic roles appear in the role list?](#why-dont-basic-roles-appear-in-the-role-list)
- [Why are some expected roles not listed?](#why-are-some-expected-roles-not-listed)
- [What should be stored in the secret manager?](#what-should-be-stored-in-the-secret-manager)
- [I can't sign-in locally due to a `Invalid Argument` error](#i-cant-sign-in-locally-due-to-a-invalid-argument-error)
## Request Sequence
```mermaid
sequenceDiagram
actor Requester
actor Judger
participant PreliminarySystem as prel
participant NotificationSystem as Slack
participant CloudService as Google Cloud
Requester ->> PreliminarySystem: Submit Request
PreliminarySystem ->> NotificationSystem: Send Notification
Judger ->> PreliminarySystem: Approve Request
PreliminarySystem ->> CloudService: Assign IAM Roles to Requester
PreliminarySystem ->> NotificationSystem: Send Notification
Requester ->> CloudService: Access with New Permissions
```
## Getting Started
- [start manual](/docs/getting-started-manual.md)
## How to use
> [!CAUTION]
> image is not latest.
### 1. Sign in by Google Account as `Requester`
Log in with your Google Account.
This user will be referred to as the **requester**. If login fails, review the OAuth consent settings.
After logging in, a request form will appear.
### 2. Send Request as `Requester`
Select the Project ID, and a list of available Roles for that project will appear.
Please select the necessary Roles (multiple selections possible).
Set the Period to `1h` for subsequent work.(If the time is too short, the request will expire)
Once finished, press the Request button. You will then be redirected to the Pending page.
At this time, a notification is sent to Slack.
### 3. Judge the Request as `Judger`
Sign in to http://localhost:8181 with a different browser (not sharing the session).
This user will be referred to as the **judger**.
A `Not Invited` error will appear.
In this app, an invitation is mandatory for all users after the first registered user.
### 4. Invite new user as `Requester`
Now, return to the **requester's** screen and access http://localhost:8181/admin/user.
An invitation input area will be at the top right, where you should enter the **judger's** email address.
At this point, set the permission to `judger` and then press the Invite button.
### 5. Approve Request as `Judger`
Then, re-login as the **judger** and access http://localhost:8181/request.
You will see options to Approve / Reject. Let's try Approving.
### 6. Check Google Cloud IAM setting
If you have the correct Google Cloud permissions, [IAM](https://console.cloud.google.com/iam-admin/iam) will be updated with time condition.
and a notification will be sent to Slack.
## How to Deploy
- [deploy manual](/docs/deploy-manual.md)
## `prel` Details
### User Roles
| role \ action | request | judge(approve/reject) | delete own request
(only pending status) | delete others request
(only pending status) | judge own request |
| :-----------: | :-----: | :-------------------: | :-----------------------------------------: | :--------------------------------------------: | :---------------: |
| requester | ⭕️ | - | ⭕️ | - | - |
| judger | ⭕️ | ⭕️ | ⭕️ | - | - |
| admin | ⭕️ | ⭕️ | ⭕️ | ⭕️ | - |
user invitation can only admin role.
### User Management
#### Invitation
The first user to sign-in becomes an `Admin Role`, and thereafter, an invitation is required for participation.
**The email address of the Google Account** is needed for the invitation. Please note that no notifications, such as email, are sent; after inviting, the administrator should inform the invitee.
**Regular expressions, Google Groups, service accounts, or other non-user principals are not supported.**
The invitation is valid for `7 days`. If this period is exceeded, the invitation becomes invalid and must be re-invited.
---
#### User Available
This setting enables or disables users. Disabled users cannot sign-in or perform any operations.
Re-enabling allows them to operate again.
## Running the tests
```bash
make test
```
prel has following tests.
- unit test
- integration test
- e2e test
## Contributing
Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us.
## Versioning
We use [SemVer](http://semver.org/) for versioning.
For the versions available, see the [tags on this repository](https://github.com/lirlia/prel/tags).
## License
Released under [MIT](/LICENSE) by [@lirlia](https://github.com/lirlia).
## FAQ
### Why don't basic roles appear in the role list?
In Google Cloud, Role Binding using IAM Conditions for basic roles is not permitted, so they are not displayed.
### Why are some expected roles not listed?
This could be due to any of the following reasons:
- The role is not appearing because the API in Google Cloud is not enabled (for example, if the Spanner API is disabled, Spanner Roles will not be displayed).
- The role is not among the [grantable roles](https://cloud.google.com/iam/docs/viewing-grantable-roles?hl=en) in the target project.
- The role name partially matches `[sS]erviceAgent` (these roles are only assignable to service accounts and are therefore not displayed).
### What should be stored in the secret manager?
- client secret
- notification url
### I can't sign-in locally due to a `Invalid Argument` error
This is likely due to a discrepancy caused by deleting the database while the browser still retains cookies.
Please delete the cookies for this app.