Configuration options

You can customize the behavior of the Just-In-Time Access application by setting environment variables in your AppEngine configuration file or Cloud Run service YAML .

The following table lists all available configuration options.

Basic configuration

Name	Description	Required	Default	Available since
RESOURCE_SCOPE	The organization, folder, or project that JIT Access can access and manage. The resource scope constrains: The set of projects that you can grant just-in-time access to: For example, if you specify a folder or organization as scope, then you can only grant users just-in-time access to projects within this folder or organization. The IAM policies that JIT Access analyzes to determine eligible access: For example, if you specify a folder as scope, JIT Access analyzes the IAM policies of this folder and all its sub-folders and projects to determine eligible access, but ignores IAM policies inherited from the organization node. The types of custom roles that you can use to grant just-in-time access (as an alternative to predefined roles): If you set the resource scope to a folder or project, then you can use custom roles that have been defined in the respective project. If you set the scope to the entire organization, you can use all custom roles, including custom roles that have been defined at the organization level. You can use one of the following values: organizations/ORGANIZATION_ID (all projects) folders/FOLDER_ID (projects underneath a specific folder, including nested folders) projects/PROJECT_ID (specific project) For ORGANIZATION_ID, FOLDER_ID, or PROJECT_ID, use the ID of the organization, folder, or project that you're using the application with. You must grant the application's service account access to the appropriate node of the resource hierarchy.	Required	Project in which Just-In-Time Access application is deployed	1.0
RESOURCE_CATALOG	Approach and API to use for finding eligible role bindings. For more information about catalogs, see Switch to a different catalog.	Required	PolicyAnalyzer	1.6
RESOURCE_CUSTOMER_ID	Customer ID of your Cloud Identity or Workspace account For more information about how to find this ID, see Find your customer ID.	Required for the AssetInventory catalog		1.6
ACTIVATION_TIMEOUT, Deprecated: ELEVATION_DURATION	Duration (in minutes) for which a role remains activated. The timeout is relative to the time when the user requested access.	Required	120	1.0
JUSTIFICATION_HINT	Hint that indicates which kind of justification users are expected to provide.	Required	Bug or case number	1.0
JUSTIFICATION_PATTERN	A regular expression that a justification has to match. For example, if you expect users to provide a ticket number in the form of CASE-123 as justification, you can use the expression ^CASE-\d+$ to enforce this convention.	Required	.*	1.0
ACTIVATION_REQUEST_MAX_ROLES	Maximum number of roles that users can activate in a single request.	Required	10	1.4.1
AVAILABLE_PROJECTS_QUERY	Query to use for project auto-completer. When not configured, the application uses the Policy Analyzer API to determine the list of projects shown in the project auto-completer. The auto-completer only lists projects that the user has eligible access to. When you configure this variable, the application instead performs a search to determine the list of projects. This method is faster, but can lead to unintended information disclosure where users are suggested projects they don't have access to. Set this variable to any query supported by projects.search, for example state:ACTIVE and grant the service account the Browser role (or an equivalent role that includes the resourcemanager.projects.get permission) on relevant projects.	Optional		1.5

Multi-party approval

Name	Description	Required	Default	Available since
ACTIVATION_REQUEST_TIMEOUT	Duration (in minutes) for which an activation request remains valid. Like ACTIVATION_TIMEOUT, the timeout is relative to the time when the user requested access. ACTIVATION_REQUEST_TIMEOUT therefore must not exceed ACTIVATION_TIMEOUT.	Required for MPA	60	1.2
ACTIVATION_REQUEST_MIN_REVIEWERS	Minimum number of reviewers for approval requests. If you set this to a value larger than 1, users need to select multiple peers when requesting approval, but obtaining approval from a single reviewer is still sufficient to activate access.	Required for MPA	1	1.4
ACTIVATION_REQUEST_MAX_REVIEWERS	Maximum number of reviewers for approval requests.	Required for MPA	10	1.4
SMTP_HOST	SMTP server to use for delivering notifications.	Required for MPA	smtp.gmail​.com	1.2
SMTP_PORT	SMTP port to use for delivering notifications. Notice that port 25 is not allowed.	Required for MPA	587	1.2
SMTP_SENDER_NAME	Name used as sender name in notifications.	Required for MPA	JIT Access	1.2
SMTP_ENABLE_STARTTLS	Enable StartTLS (required by most mail servers).	Required for MPA	true	1.2
SMTP_SENDER_ADDRESS	Email address to use for notifications.	Required for MPA		1.2
SMTP_USERNAME	Username for SMTP authentication (optional, only required if your SMTP requires authentication).	Optional		1.2
SMTP_PASSWORD	Password for SMTP authentication (optional, only required if your SMTP requires authentication). If you're using Gmail to deliver emails, this must be an app password.	Optional		1.2
SMTP_SECRET	Path to a Secrets Manager secret that contains the password for SMTP authentication. You can use this option as an alternative to SMTP_PASSWORD. The path must be in the format projects/PROJECTID/secrets/ SECRETID/versions/latest. If you're using Gmail to deliver emails, this must be an app password.	Optional		1.4
SMTP_OPTIONS	Comma-separated list of additional JavaMail options for delivering email. For example: mail.smtp.connectiontimeout=60000, mail.smtp.writetimeout=30000 For most mail servers, no additional options are required.	Optional		1.2
SMTP_ADDRESS_MAPPING	CEL expression for deriving a user's email address from their Cloud Identity/Workspace user ID. By default, JIT Accesses uses the Cloud Identity/Workspace user ID (such as alice@example.com) as email address to deliver notifications to. If some or all of your Cloud Identity/Workspace user IDs do not correspond to valid email addresses, use this setting to specify a CEL expression that derives a valid email address. CEL expressions can use standard functions and the extract() function. For example, the following expression replaces the domain example.com with test.example.com for all users: user.email.extract('{handle}@example.com') + '@test.example.com' If you're using multiple domains and only need to substitute one of them, you can use conditional statements. For example: user.email.endsWith('@external.example.com') ? user.email.extract('{handle}@external.example.com') + '@otherdomain.example' : user.email	Optional		1.7

Notifications

Name	Description	Required	Default	Available since
NOTIFICATION_TIMEZONE	Timezone to use for dates in notification emails. The value must be a valid identifier from the IANA Time Zone Database (TZDB), for example Australia/Melbourne or Europe/Berlin.	Required for MPA	UTC	1.2
NOTIFICATION_TOPIC	Name of a Pub/Sub topic to post notifications to, for example jitaccess-events. When you configure this variable, JIT Access posts a notification message to the Pub/Sub topic whenever a user self-activates a role, requests MPA-approval for a role, or is granted MPA-approval. Other applications can consume these messages to implement additional logic, such as posting to chat rooms or triggering additional workflows. When you don't configure this variable, JIT Access doesn't post any Pub/Sub messages. The topic must be in the same project as the application.	Optional		1.5

Networking

Name	Description	Required	Default	Available since
BACKEND_CONNECT_TIMEOUT	Connection timeout for Google API requests, in seconds.	Optional	5	1.5
BACKEND_READ_TIMEOUT	Read timeout for Google API requests, in seconds.	Optional	20	1.5
BACKEND_WRITE_TIMEOUT	Write timeout for Google API requests, in seconds.	Optional	5	1.5