« Back to home

JIT Access JIT Access 1.1 now supports inherited roles and has a new UI

With Just-in-Time Access, we can implement just-in-time privileged access management on Google Cloud by allowing users to temporarily elevate their access to certain projects. But a key limitation of the initial release of JIT Access was that it didn’t support inherited role bindings. Version 1.1 removes this limitation and features a new UI. Continue »

Google Cloud Which project's quota are my API calls charged against?

Any call we make against a Google API is charged against a project quota. Depending on the API that we’re using, that project quota might limit the frequency of calls, the total number of calls, or even the number of calls per user. But which project’s quota is it that’s being charged? Continue »

Google Cloud Dealing with partial consent in Google OAuth clients

When we use a tool like gcloud or IAP Desktop for the first time, we need to authorize it. Google Sign-in then shows us a consent screen that lists all the things the tool might do on our behalf, and we can decide whether to consent or deny. But sometimes, we get a third option. Continue »

Google Cloud Authenticating to Cloud Identity's LDAP interface

Posted on

Secure LDAP is a Cloud Identity feature that lets it emulate an LDAP server. From an application’s perspective, Secure LDAP makes Cloud Identity look somewhat similar to Active Directory – but authentication works a little differently. Continue »

JIT Access Enabling just-in-time access to Google Cloud resources

The principle of least privilege states that we should grant users just enough access to carry out everyday activities, but no more. But what about the occasional case where a user does need privileged access, maybe to handle an incident or perform a rare configuration change? This is where just-in-time access can help. Continue »

Google Cloud Doing service account things without a service account key

Before we deploy an application to Google Cloud, we typically want to test it locally. If the application uses Google Cloud APIs, then we somehow need to ensure that the application can authenticate. We could use a service account key for that, but there’s typically a better way. Continue »

Google Cloud Authenticating to Google Cloud using Integrated Windows Authentication, workload identity federation, and SAML-POST

Previously, we explored two ways of authenticating to Google Cloud using Kerberos and NTLM credentials. Both ways involved authenticating to AD FS using Integrated Windows Authentication, and then using workload identity federation. But there’s a third way that we haven’t cover yet – and it involves using the SAML HTTP-POST binding. Continue »

Security Defining privileged access

Posted on

Privileged access is a term we commonly encounter in the realm of access management. The term seems pretty self-explanatory, but finding a good definition isn’t easy. Continue »