Access VPC service perimeters
The Just-in-Time Access application uses the Google Cloud Resource Manager API to grant access to projects. If a project is part of a VPC service perimeter that restricts access to the Google Cloud Resource Manager API, then the application might be unable to grant users access to that project.
To allow Just-in-Time Access to grant users access to projects in a service perimeter, create an ingress policy:
- In the Cloud Console, go to VPC Service Controls and open the service perimeter.
- Click Edit perimeter.
- Select Ingress Policy.
-
Click Add rule and configure the following settings:
- Source: All sources
- Identity: the email address of the service account used by the JIT Access application
- Project: the project to manage access for, or All projects
- Services: Google Cloud Resource Manager API
-
Click Save
This ingress policy permits the service account used by the JIT Access application to access the Google Cloud Resource Manager API, and lets the Just-in-Time Access application grant users access to projects in that service perimeter.