Configuration options

You can customize the behavior of the Just-In-Time Access application by setting environment variables in your AppEngine configuration file or Cloud Run service YAML .

The following table lists all available configuration options.

Basic configuration

Name	Description	Required	Default	Available since
`RESOURCE_SCOPE`	The organization, folder, or project that JIT Access can access and manage. The resource scope constrains: The set of projects that you can grant just-in-time access to: For example, if you specify a folder or organization as scope, then you can only grant users just-in-time access to projects within this folder or organization. The IAM policies that JIT Access analyzes to determine eligible access: For example, if you specify a folder as scope, JIT Access analyzes the IAM policies of this folder and all its sub-folders and projects to determine eligible access, but ignores IAM policies inherited from the organization node. The types of custom roles that you can use to grant just-in-time access (as an alternative to predefined roles): If you set the resource scope to a folder or project, then you can use custom roles that have been defined in the respective project. If you set the scope to the entire organization, you can use all custom roles, including custom roles that have been defined at the organization level. You can use one of the following values: `organizations/ORGANIZATION_ID` (all projects) `folders/FOLDER_ID` (projects underneath a specific folder, including nested folders) `projects/PROJECT_ID` (specific project) For ORGANIZATION_ID, FOLDER_ID, or PROJECT_ID, use the ID of the organization, folder, or project that you're using the application with. You must grant the application's service account access to the appropriate node of the resource hierarchy.	Required	Project in which Just-In-Time Access application is deployed	1.0
`RESOURCE_CATALOG`	Approach and API to use for finding eligible role bindings. For more information about catalogs, see Switch to a different catalog.	Required	`PolicyAnalyzer`	1.6
`RESOURCE_CUSTOMER_ID`	Customer ID of your Cloud Identity or Workspace account For more information about how to find this ID, see Find your customer ID.	Required for the `AssetInventory` catalog		1.6
`ACTIVATION_TIMEOUT`, Deprecated: `ELEVATION_DURATION`	Maximum duration (in minutes) for which users can request to activate a role.	Required	`120`	1.0
`JUSTIFICATION_HINT`	Hint that indicates which kind of justification users are expected to provide.	Required	`Bug or case number`	1.0
`JUSTIFICATION_PATTERN`	A regular expression that a justification has to match. For example, if you expect users to provide a ticket number in the form of `CASE-123` as justification, you can use the expression `^CASE-\d+$` to enforce this convention.	Required	`.*`	1.0
`ACTIVATION_REQUEST_MAX_ROLES`	Maximum number of roles that users can activate in a single request.	Required	`10`	1.4.1
`AVAILABLE_PROJECTS_QUERY`	Query to use for project auto-completer. When not configured, the application uses the Policy Analyzer API to determine the list of projects shown in the project auto-completer. The auto-completer only lists projects that the user has eligible access to. When you configure this variable, the application instead performs a search to determine the list of projects. This method is faster, but can lead to unintended information disclosure where users are suggested projects they don't have access to. Set this variable to any query supported by `projects.search`, for example `state:ACTIVE` and grant the service account the Browser role (or an equivalent role that includes the `resourcemanager.projects.get` permission) on relevant projects.	Optional		1.5

Multi-party approval

Name	Description	Required	Default	Available since
`ACTIVATION_REQUEST_TIMEOUT`	Duration (in minutes) for which an activation request remains valid. Like `ACTIVATION_TIMEOUT`, the timeout is relative to the time when the user requested access. `ACTIVATION_REQUEST_TIMEOUT` therefore must not exceed `ACTIVATION_TIMEOUT`.	Required for MPA	`60`	1.2
`ACTIVATION_REQUEST_MIN_REVIEWERS`	Minimum number of reviewers for approval requests. If you set this to a value larger than `1`, users need to select multiple peers when requesting approval, but obtaining approval from a single reviewer is still sufficient to activate access.	Required for MPA	`1`	1.4
`ACTIVATION_REQUEST_MAX_REVIEWERS`	Maximum number of reviewers for approval requests.	Required for MPA	`10`	1.4
`SMTP_HOST`	SMTP server to use for delivering notifications.	Required for MPA	`smtp.gmail.com`	1.2
`SMTP_PORT`	SMTP port to use for delivering notifications. Notice that port 25 is not allowed.	Required for MPA	`587`	1.2
`SMTP_SENDER_NAME`	Name used as sender name in notifications.	Required for MPA	`JIT Access`	1.2
`SMTP_ENABLE_STARTTLS`	Enable StartTLS (required by most mail servers).	Required for MPA	`true`	1.2
`SMTP_SENDER_ADDRESS`	Email address to use for notifications.	Required for MPA		1.2
`SMTP_USERNAME`	Username for SMTP authentication (optional, only required if your SMTP requires authentication).	Optional		1.2
`SMTP_PASSWORD`	Password for SMTP authentication (optional, only required if your SMTP requires authentication). If you're using Gmail to deliver emails, this must be an app password.	Optional		1.2
`SMTP_SECRET`	Path to a Secrets Manager secret that contains the password for SMTP authentication. You can use this option as an alternative to `SMTP_PASSWORD`. The path must be in the format `projects/PROJECTID/secrets/ SECRETID/versions/latest`. If you're using Gmail to deliver emails, this must be an app password.	Optional		1.4
`SMTP_OPTIONS`	Comma-separated list of additional JavaMail options for delivering email. For example: `mail.smtp.connectiontimeout=60000, mail.smtp.writetimeout=30000` For most mail servers, no additional options are required.	Optional		1.2
`SMTP_ADDRESS_MAPPING`	CEL expression for deriving a user's email address from their Cloud Identity/Workspace user ID. By default, JIT Accesses uses the Cloud Identity/Workspace user ID (such as alice@example.com) as email address to deliver notifications to. If some or all of your Cloud Identity/Workspace user IDs do not correspond to valid email addresses, use this setting to specify a CEL expression that derives a valid email address. CEL expressions can use standard functions and the `extract()` function. For example, the following expression replaces the domain `example.com` with `test.example.com` for all users: `user.email.extract('{handle}@example.com') + '@test.example.com'` If you're using multiple domains and only need to substitute one of them, you can use conditional statements. For example: `user.email.endsWith('@external.example.com') ? user.email.extract('{handle}@external.example.com') + '@otherdomain.example' : user.email`	Optional		1.7

Notifications

Name Description Required Default Available since

NOTIFICATION_TIMEZONE

Timezone to use for dates in notification emails.

The value must be a valid identifier from the IANA Time Zone Database (TZDB), for example Australia/Melbourne or Europe/Berlin.

Required for MPA

UTC

1.2

NOTIFICATION_TOPIC

Name of a Pub/Sub topic to post notifications to, for example jitaccess-events.

When you configure this variable, JIT Access posts a notification message to the Pub/Sub topic whenever a user self-activates a role, requests MPA-approval for a role, or is granted MPA-approval. Other applications can consume these messages to implement additional logic, such as posting to chat rooms or triggering additional workflows.

When you don't configure this variable, JIT Access doesn't post any Pub/Sub messages.

The topic must be in the same project as the application.

Optional

1.5

Networking

Name	Description	Required	Default	Available since
`IAP_BACKEND_SERVICE_ID`	ID of the load balancer backend used by IAP. The ID is used for verifying the audience of IAP assertions	Required on Cloud Run unless `IAP_VERIFY_AUDIENCE=false`		1.3
`IAP_VERIFY_AUDIENCE`	When set to `true`, the application verifies the audience of IAP assertions, in addition to verifying their authenticity.. When set to `false`, the application verifies the authenticity of IAP assertions, but does not verify their audience.	Optional	true	1.8.1
`BACKEND_CONNECT_TIMEOUT`	Connection timeout for Google API requests, in seconds.	Optional	`5`	1.5
`BACKEND_READ_TIMEOUT`	Read timeout for Google API requests, in seconds.	Optional	`20`	1.5
`BACKEND_WRITE_TIMEOUT`	Write timeout for Google API requests, in seconds.	Optional	`5`	1.5