With Privileged Access Manager in public preview now, there’s little reason to maintain an open-source project that largely provides the same capabilities. But that doesn’t mean JIT Access is going away – instead, the project is changing focus, and its name too.
Continue »
When users sign in to an application that uses Google OAuth or OpenID Connect, they typically see a consent screen. But there’s more than one type of consent screen, and the type of consent screen that users end up seeing not only depends on the publisher, but also on the administrative controls applied on the consumer side
Continue »
Using workload identity federation, we can let Azure-hosted applications authenticate to Google Cloud using their managed identity. That also works for Azure App Services, but it requires a little extra work.
Continue »
Microsoft might not be the premier source of information about Google Cloud, but their cloud security benchmark (MCSB) turns out to provide some sound advice.
Continue »
Modern web applications typically use OAuth or OpenID Connect to authenticate users, but older intranet applications often still rely on Integrated Windows Authentication to deliver a single sign-on experience for users. When we migrate such an application to Google Cloud, we must be careful to choose the right load balancer, otherwise authentication might fail in subtle ways.
Continue »
Using workload identity federation, we can let an AWS-hosted application authenticate to Google Cloud using its AWS credentials. That also works for Lambda functions.
Continue »
By combining workload identity federation with a token broker, we can enable workloads and devices to authenticate to Google Cloud using all sorts of credentials, including X.509 client certificates.
Continue »
Workload identity federation isn’t limited to authenticating workloads between cloud providers. There are many other scenarios where it can be useful to use workload identity federation instead of service account keys. Not all platforms or services support workload identity federation, but it’s not too difficult to change that.
Continue »
Whenever we want to call a Google or Google Cloud API, we need an access token. But there’s more than one way to obtain an access token, and depending on which way we use, the resulting access token might behave a little differently. What kinds of access tokens are there, and how do they differ?
Continue »
With the latest version of Just-in-Time access, we can now demand that users seek approval from a peer before they can activate certain roles.
Continue »
When an on-premises application needs to access Google Cloud, it’s tempting to just let it use a service account key. But if the application runs in an Active Directory environment, there’s a better alternative – we can let it use its domain credentials and “exchange” them against Google credentials. That doesn’t even require custom code anymore.
Continue »
With Just-in-Time Access, we can implement just-in-time privileged access management on Google Cloud by allowing users to temporarily elevate their access to certain projects. But a key limitation of the initial release of JIT Access was that it didn’t support inherited role bindings. Version 1.1 removes this limitation and features a new UI.
Continue »
Any call we make against a Google API is charged against a project quota. Depending on the API that we’re using, that project quota might limit the frequency of calls, the total number of calls, or even the number of calls per user. But which project’s quota is it that’s being charged?
Continue »
To implement role-based access control to Google Cloud resources, it’s often useful to create a set of groups, where each group represents a role for a certain set of resources. But how can we automate the management of these groups, without granting our automation too much access?
Continue »
When developing applications that use the Google Cloud API, being able to trace and inspect HTTP requests with a tool like Fiddler can be a great debugging aid. But getting Fiddler to work with the Java client libraries can be a bit tricky.
Continue »
The first thing we often do after creating a new Windows VM on Google Cloud is join the VM to Active Directory. With the latest IAP Desktop release, that got a little easier.
Continue »
When we use a tool like gcloud or IAP Desktop for the first time, we need to authorize it. Google Sign-in then shows us a consent screen that lists all the things the tool might do on our behalf, and we can decide whether to consent or deny. But sometimes, we get a third option.
Continue »
When we run License Tracker for the first time, the tool analyzes the last 90 days of audit logs to determine how many VMs and physical servers we’ve been using. Going back 90 days in history is useful, but can we go back further?
Continue »