Time limited, auto-expiring group memberships for users on Google Cloud

A script in golang which demonstrates how to allow a user temporary, time-limited membership to a Google Group. (firecall access, just in time access)

You can use this to set on-demand firecall access based on google groups.

For example, if you need to let a specific user access to a GCP resource for a limited amount of time, you can either

  • A Give a user IAM bindings directly to the necessary resources
  • B Add an IAM condition with date/time
  • C Add a user to a group which has access to the resources.
  • D IAM bindings to a serviceAccount for impersonation

The issue with A is you have to remember to revoke and renew access manually. D is the same as A

With B you will have lingering, expired IAM conditions on the resource. You will also have to apply the same condition to all resources that should be accessed. IAM conditions are also limited to certain resource types. Also note the limits on IAM bindings per resource and limits on the condition expression

So, that leaves one option here: create a google group that has access to resources and control the membership of that group. A feature that makes management a lot easier is the auto-expiring group membership capability:

With this, you can at least revoke access in an automated way.

The concept is certainly nothing new and there are commercial systems that do this for a living (see CyberArk)

This repo is NOT supported by Google. caveat emptor

You can find the full code here

This sample shows how you can use the golang api to set a time-limited access control on a resource.

Golang

Its pretty simple, really, just set the expiryDetail field when adding a user to a group. That will signal to google to automatically remove that user from the group when the time expires:

The net output should be like this:

Terraform

You could potentially use terraform as a management layer for adding/removing users.

The biggest issue with terraform auto-expiring users is that if terraform changes group membership, a different process would modify the resource which makes the terraform state out of sync. I’m keeping this here incase for documentation.

Besides, at the moment 10/16/21 the Terraform provider for [cloud_identity_group] does NOT support the parameter to add/remove users.

It should be a parameter in the magic-module definition here

https://github.com/GoogleCloudPlatform/magic-modules/blob/master/mmv1/products/cloudidentity/api.yaml#L248

I imagine it may look like this if this is even a legitimate thing to do with terraform…so i filed issue 10343

resource "google_cloud_identity_group_membership" "cloud_identity_group_membership_basic" {
group = "groups/02grqrue4gb58m7"
preferred_member_key {
id = "user1@esodemoapp2.com"
}
roles {
name = "MEMBER"
expiry_detail {
expire_time = "2014-10-02T15:01:23Z"
}
}
}

Logging

Changes show up in Workspace Audit logs but are pretty high in latency O(mins->hrs)

The filter you can use would be something like this:

protoPayload.serviceName="cloudidentity.googleapis.com"
logName: "organizations/673208786098/logs/cloudaudit.googleapis.com%2Factivity"
resource.type="audited_resource"

which you can also view with gcloud (ofcourse…replace with your own orgID)

$ gcloud logging read  --organization=673208786098

Add User:

insertId: 41616e8ca214107f662ac4cfddb7ae0c
logName: organizations/673208786098/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
'@type': type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: admin@esodemoapp2.com
authorizationInfo:
- granted: true
permission: cloudidentity.membership.update
resource: cloudidentity.googleapis.com/groups/345595908567
metadata:
'@type': type.googleapis.com/google.cloud.audit.GroupAuditMetadata
group: group:group1_3@esodemoapp2.com
membershipDelta:
member: user:user1@esodemoapp2.com
roleDeltas:
- action: ADD
role: MEMBER
methodName: google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership
requestMetadata:
callerIp: 1.2.3.4
callerSuppliedUserAgent: google-api-go-client/0.5,gzip(gfe),gzip(gfe)
resourceName: groups/group1_3@esodemoapp2.com
serviceName: cloudidentity.googleapis.com
receiveTimestamp: '2021-10-16T12:04:32.072691150Z'
resource:
labels:
method: google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership
service: cloudidentity.googleapis.com
type: audited_resource
severity: NOTICE
timestamp: '2021-10-16T12:04:31.503723Z'

AutoRemove User:

insertId: bfebbcb6070346a1ff84f54fc3d7d17c
logName: organizations/673208786098/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
'@type': type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: cloud-support@google.com
authorizationInfo:
- granted: true
permission: cloudidentity.membership.update
resource: cloudidentity.googleapis.com/groups/345595908567
metadata:
'@type': type.googleapis.com/google.cloud.audit.GroupAuditMetadata
group: group:group1_3@esodemoapp2.com
membershipDelta:
member: user:user1@esodemoapp2.com
roleDeltas:
- action: REMOVE
role: MEMBER
methodName: google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership
requestMetadata: {}
resourceName: groups/group1_3@esodemoapp2.com
serviceName: cloudidentity.googleapis.com
receiveTimestamp: '2021-10-16T12:09:31.861301264Z'
resource:
labels:
method: google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership
service: cloudidentity.googleapis.com
type: audited_resource
severity: NOTICE
timestamp: '2021-10-16T12:09:31.353801Z'

--

--

--

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Recommended from Medium

CS373 Fall 2020: Alexy Correa

about Software Testing

Mindsync advantages

Learning to Code: Turning User Stories Into Code

HttpMocker: A simple HTTP mocking library for Kotlin to handle offline modes

AF-Academic Project Experience

Why Amazon and Home Depot Always Spend More Time on QA Activities

Scaling Spark Streaming for Logging Event Ingestion

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
salmaan rashid

salmaan rashid

More from Medium

Comparing Google Private Access and Cloud NAT

Understanding Google Cloud IAM concepts with stick figures

A Vertex AI TensorBoard alternative for smaller budgets (Part 1)

Cloud Bigtable — Write and Retrieval