Skip to content

Configuration options

You can customize the behavior of the Just-In-Time Access application by setting environment variables in your AppEngine configuration file or Cloud Run service YAML .

The following table lists all available configuration options.

Basic configuration

Name Description Required Default Available since
RESOURCE_SCOPE

The organization, folder, or project that JIT Access can access and manage. The resource scope constrains:

  • The set of projects that you can grant just-in-time access to: For example, if you specify a folder or organization as scope, then you can only grant users just-in-time access to projects within this folder or organization.
  • The IAM policies that JIT Access analyzes to determine eligible access: For example, if you specify a folder as scope, JIT Access analyzes the IAM policies of this folder and all its sub-folders and projects to determine eligible access, but ignores IAM policies inherited from the organization node.
  • The types of custom roles that you can use to grant just-in-time access (as an alternative to predefined roles): If you set the resource scope to a folder or project, then you can use custom roles that have been defined in the respective project. If you set the scope to the entire organization, you can use all custom roles, including custom roles that have been defined at the organization level.

You can use one of the following values:

  • organizations/ORGANIZATION_ID (all projects)
  • folders/FOLDER_ID (projects underneath a specific folder, including nested folders)
  • projects/PROJECT_ID (specific project)

For ORGANIZATION_ID, FOLDER_ID, or PROJECT_ID, use the ID of the organization, folder, or project that you're using the application with.

You must grant the application's service account access to the appropriate node of the resource hierarchy.

Required Project in which Just-In-Time Access application is deployed 1.0
RESOURCE_CATALOG

Approach and API to use for finding eligible role bindings.

For more information about catalogs, see Switch to a different catalog.

Required PolicyAnalyzer 1.6
RESOURCE_CUSTOMER_ID

Customer ID of your Cloud Identity or Workspace account

For more information about how to find this ID, see Find your customer ID.

Required for the AssetInventory catalog 1.6
ACTIVATION_TIMEOUT,

Deprecated:
ELEVATION_DURATION

Maximum duration (in minutes) for which users can request to activate a role.

Required 120 1.0
JUSTIFICATION_HINT

Hint that indicates which kind of justification users are expected to provide.

Required Bug or case number 1.0
JUSTIFICATION_PATTERN

A regular expression that a justification has to match.

For example, if you expect users to provide a ticket number in the form of CASE-123 as justification, you can use the expression ^CASE-\d+$ to enforce this convention.

Required .* 1.0
ACTIVATION_REQUEST_MAX_ROLES

Maximum number of roles that users can activate in a single request.

Required 10 1.4.1
AVAILABLE_PROJECTS_QUERY

Query to use for project auto-completer.

When not configured, the application uses the Policy Analyzer API to determine the list of projects shown in the project auto-completer. The auto-completer only lists projects that the user has eligible access to.

When you configure this variable, the application instead performs a search to determine the list of projects. This method is faster, but can lead to unintended information disclosure where users are suggested projects they don't have access to.

Set this variable to any query supported by projects.search, for example state:ACTIVE and grant the service account the Browser role (or an equivalent role that includes the resourcemanager.projects.get permission) on relevant projects.

Optional 1.5

Multi-party approval

Name Description Required Default Available since
ACTIVATION_REQUEST_TIMEOUT

Duration (in minutes) for which an activation request remains valid.

Like ACTIVATION_TIMEOUT, the timeout is relative to the time when the user requested access. ACTIVATION_REQUEST_TIMEOUT therefore must not exceed ACTIVATION_TIMEOUT.

Required for MPA 60 1.2
ACTIVATION_REQUEST_MIN_REVIEWERS

Minimum number of reviewers for approval requests.

If you set this to a value larger than 1, users need to select multiple peers when requesting approval, but obtaining approval from a single reviewer is still sufficient to activate access.

Required for MPA 1 1.4
ACTIVATION_REQUEST_MAX_REVIEWERS

Maximum number of reviewers for approval requests.

Required for MPA 10 1.4
SMTP_HOST

SMTP server to use for delivering notifications.

Required for MPA smtp.gmail​.com 1.2
SMTP_PORT

SMTP port to use for delivering notifications.

Notice that port 25 is not allowed.

Required for MPA 587 1.2
SMTP_SENDER_NAME

Name used as sender name in notifications.

Required for MPA JIT Access 1.2
SMTP_ENABLE_STARTTLS

Enable StartTLS (required by most mail servers).

Required for MPA true 1.2
SMTP_SENDER_ADDRESS

Email address to use for notifications.

Required for MPA 1.2
SMTP_USERNAME

Username for SMTP authentication (optional, only required if your SMTP requires authentication).

Optional 1.2
SMTP_PASSWORD

Password for SMTP authentication (optional, only required if your SMTP requires authentication).

If you're using Gmail to deliver emails, this must be an app password.

Optional 1.2
SMTP_SECRET

Path to a Secrets Manager secret that contains the password for SMTP authentication. You can use this option as an alternative to SMTP_PASSWORD.

The path must be in the format projects/PROJECTID/secrets/ SECRETID/versions/latest.

If you're using Gmail to deliver emails, this must be an app password.

Optional 1.4
SMTP_OPTIONS

Comma-separated list of additional JavaMail options for delivering email. For example: mail.smtp.connectiontimeout=60000, mail.smtp.writetimeout=30000

For most mail servers, no additional options are required.

Optional 1.2
SMTP_ADDRESS_MAPPING

CEL expression for deriving a user's email address from their Cloud Identity/Workspace user ID.

By default, JIT Accesses uses the Cloud Identity/Workspace user ID (such as alice@example.com) as email address to deliver notifications to. If some or all of your Cloud Identity/Workspace user IDs do not correspond to valid email addresses, use this setting to specify a CEL expression that derives a valid email address.

CEL expressions can use standard functions and the extract() function.

For example, the following expression replaces the domain example.com with test.example.com for all users:

user.email.extract('{handle}@example.com') + '@test.example.com'

If you're using multiple domains and only need to substitute one of them, you can use conditional statements. For example:

user.email.endsWith('@external.example.com') ? user.email.extract('{handle}@external.example.com') + '@otherdomain.example' : user.email

Optional 1.7

Notifications

Name Description Required Default Available since
NOTIFICATION_TIMEZONE

Timezone to use for dates in notification emails.

The value must be a valid identifier from the IANA Time Zone Database (TZDB), for example Australia/Melbourne or Europe/Berlin.

Required for MPA UTC 1.2
NOTIFICATION_TOPIC

Name of a Pub/Sub topic to post notifications to, for example jitaccess-events.

When you configure this variable, JIT Access posts a notification message to the Pub/Sub topic whenever a user self-activates a role, requests MPA-approval for a role, or is granted MPA-approval. Other applications can consume these messages to implement additional logic, such as posting to chat rooms or triggering additional workflows.

When you don't configure this variable, JIT Access doesn't post any Pub/Sub messages.

The topic must be in the same project as the application.

Optional 1.5

Networking

Name Description Required Default Available since
IAP_BACKEND_SERVICE_ID

ID of the load balancer backend used by IAP. The ID is used for verifying the audience of IAP assertions

Required on Cloud Run unless IAP_VERIFY_AUDIENCE=false 1.3
IAP_VERIFY_AUDIENCE

When set to true, the application verifies the audience of IAP assertions, in addition to verifying their authenticity..

When set to false, the application verifies the authenticity of IAP assertions, but does not verify their audience.

Optional true 1.8.1
BACKEND_CONNECT_TIMEOUT

Connection timeout for Google API requests, in seconds.

Optional 5 1.5
BACKEND_READ_TIMEOUT

Read timeout for Google API requests, in seconds.

Optional 20 1.5
BACKEND_WRITE_TIMEOUT

Write timeout for Google API requests, in seconds.

Optional 5 1.5