JIT Groups, or what's next for the JIT Access projectWith Privileged Access Manager in public preview now, there’s little reason to maintain an open-source project that largely provides the same capabilities. But that doesn’t mean JIT Access is going away – instead, the project is changing focus, and its name too. Continue »
Best practices for securing SSH access to VM instancesAllowing users to connect to Google Cloud VMs using SSH is convenient and often unavoidable. But it’s not without risks. Continue »
Authenticating to Google Cloud from Azure App ServicesUsing workload identity federation, we can let Azure-hosted applications authenticate to Google Cloud using their managed identity. That also works for Azure App Services, but it requires a little extra work. Continue »
Microsoft recommending IAP DesktopMicrosoft might not be the premier source of information about Google Cloud, but their cloud security benchmark (MCSB) turns out to provide some sound advice. Continue »
Using Integrated Windows Authentication over a Google Cloud load balancerModern web applications typically use OAuth or OpenID Connect to authenticate users, but older intranet applications often still rely on Integrated Windows Authentication to deliver a single sign-on experience for users. When we migrate such an application to Google Cloud, we must be careful to choose the right load balancer, otherwise authentication might fail in subtle ways. Continue »
Authenticating to Google Cloud from an AWS Lambda functionUsing workload identity federation, we can let an AWS-hosted application authenticate to Google Cloud using its AWS credentials. That also works for Lambda functions. Continue »
Authenticate workloads and devices to Google Cloud using mTLSBy combining workload identity federation with a token broker, we can enable workloads and devices to authenticate to Google Cloud using all sorts of credentials, including X.509 client certificates. Continue »
Extending a platform or service to support workload identity federationWorkload identity federation isn’t limited to authenticating workloads between cloud providers. There are many other scenarios where it can be useful to use workload identity federation instead of service account keys. Not all platforms or services support workload identity federation, but it’s not too difficult to change that. Continue »
All access tokens aren't created equalWhenever we want to call a Google or Google Cloud API, we need an access token. But there’s more than one way to obtain an access token, and depending on which way we use, the resulting access token might behave a little differently. What kinds of access tokens are there, and how do they differ? Continue »
Multi-party approval with JIT Access 1.2With the latest version of Just-in-Time access, we can now demand that users seek approval from a peer before they can activate certain roles. Continue »
New documentation and tool support for authenticating to Google Cloud from an Active Directory environmentWhen an on-premises application needs to access Google Cloud, it’s tempting to just let it use a service account key. But if the application runs in an Active Directory environment, there’s a better alternative – we can let it use its domain credentials and “exchange” them against Google credentials. That doesn’t even require custom code anymore. Continue »
JIT Access 1.1 now supports inherited roles and has a new UIWith Just-in-Time Access, we can implement just-in-time privileged access management on Google Cloud by allowing users to temporarily elevate their access to certain projects. But a key limitation of the initial release of JIT Access was that it didn’t support inherited role bindings. Version 1.1 removes this limitation and features a new UI. Continue »
Using Fiddler to inspect Java client library requestsWhen developing applications that use the Google Cloud API, being able to trace and inspect HTTP requests with a tool like Fiddler can be a great debugging aid. But getting Fiddler to work with the Java client libraries can be a bit tricky. Continue »
Remotely joining VM instances to Active Directory using IAP Desktop 2.31The first thing we often do after creating a new Windows VM on Google Cloud is join the VM to Active Directory. With the latest IAP Desktop release, that got a little easier. Continue »
Retroactively analyzing more than 90 days of VM and sole-tenant node usageWhen we run License Tracker for the first time, the tool analyzes the last 90 days of audit logs to determine how many VMs and physical servers we’ve been using. Going back 90 days in history is useful, but can we go back further? Continue »
Tracking VM and sole-tenant node usage for license reportingWhen we bring our own Windows licenses to Google Cloud, we must keep track of the number of physical servers that we’re using those licenses on. By using sole-tenant nodes, we can control which nodes our VMs run on, but nodes aren’t the same as physical servers. Continue »
Best practices for using service accounts in deployment pipelinesTo deploy software or infrastructure automatically, many deployment pipelines need access to Google Cloud, so we let the pipelines use a service account. The more we rely on deployment pipelines and their service accounts, the more extensive and privileged their access to Google Cloud can become. And that creates new risks. Continue »
Enabling just-in-time access to Google Cloud resourcesThe principle of least privilege states that we should grant users just enough access to carry out everyday activities, but no more. But what about the occasional case where a user does need privileged access, maybe to handle an incident or perform a rare configuration change? This is where just-in-time access can help. Continue »
Keeping track of SSH keys using IAP Desktop 2.26When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. The latest version of IAP Desktop makes that a little easier. Continue »
Docking and floating RDP windows in IAP Desktop 2.25IAP Desktop uses a UI that’s similar to Visual Studio – we can dock tool windows, let them auto-hide when we don’t need them, or let them float as separate windows. But that flexibility didn’t apply to RDP windows… until now. Continue »