Configure notifications

This article describes how you can configure the Just-in-Time Access to publish notifications to a Pub/Sub topic when one of the following events occur:

1. A user activates a role binding that permits self-approval
2. A user requests approval for activating a role binding that requires multi-party approval
3. A user approves an activation request

Create a Pub/Sub topic

Create a Pub/Sub topic that JIT Access can publish messages to. The topic must reside in the same project as the JIT Access application.

1. Set an environment variable to contain your project ID:

   gcloud config set project PROJECT_ID
   

   Replace PROJECT_ID with the ID of your project.

2. Enable the Pub/Sub API:

   gcloud services enable pubsub.googleapis.com
   

3. Initialize an environment variable for the Pub/Sub topic name:

   PUBSUB_TOPIC=TOPIC
   

   Replace TOPIC with a topic name, for example jitaccess-events.

4. Create the Pub/Sub topic:

   gcloud pubsub topics create $PUBSUB_TOPIC
   

5. Grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the application's service account:

   SERVICE_ACCOUNT=$(gcloud run services describe jitaccess --format "value(spec.template.spec.serviceAccountName)")
   gcloud pubsub topics add-iam-policy-binding $PUBSUB_TOPIC \
     --member="serviceAccount:$SERVICE_ACCOUNT" \
     --role="roles/pubsub.publisher"
   

Configure JIT Access

You now update the configuration and redeploy the Just-in-Time Access application:

1. Clone the GitHub repository and switch to the latest branch:

   git clone https://github.com/GoogleCloudPlatform/jit-access.git
   cd jit-access/sources
   git checkout latest
   

2. Download the configuration file that you used previously to deploy the application and save it to a file app.yaml:

   App EngineCloud Run

   APPENGINE_VERSION=$(gcloud app versions list --service default --hide-no-traffic --format "value(version.id)")
   APPENGINE_APPYAML_URL=$(gcloud app versions describe $APPENGINE_VERSION --service default --format "value(deployment.files.'app.yaml'.sourceUrl)")
   
   curl -H "Authorization: Bearer $(gcloud auth print-access-token)" $APPENGINE_APPYAML_URL -o app.yaml
   

   gcloud run services describe jitaccess --format yaml > app.yaml
   

3. Open the file app.yaml in an editor and add the following configuration option:

   NOTIFICATION_TOPIC: topic
   

   Replace topic with the name of the Pub/Sub topic you created in a previous step.

4. Deploy the application with the updated configuration:

   App EngineCloud Run

   sed -i 's/java11/java17/g' app.yaml
   gcloud app deploy --appyaml app.yaml
   

   PROJECT_ID=$(gcloud config get-value core/project)
   
   docker build -t gcr.io/$PROJECT_ID/jitaccess:latest .
   docker push gcr.io/$PROJECT_ID/jitaccess:latest
   
   IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}'  gcr.io/$PROJECT_ID/jitaccess)
   sed -i "s|image:.*|image: $IMAGE|g" app.yaml
   
   gcloud run services replace app.yaml