Configuration options
You can customize the behavior of JIT Groups by setting environment variables in your App Engine configuration file or Cloud Run service YAML .
The following table lists all available configuration options.
Basic options
| Name | Terraform variable | Description | Required | Default | Available since |
|---|---|---|---|---|---|
CUSTOMER_ID or RESOURCE_CUSTOMER_ID |
customer_id |
Cloud Identity/Workspace customer ID | Yes | 1.6 | |
PRIMARY_DOMAIN |
primary_domain |
Primary domain of the Cloud Identity/Workspace account | Yes | 2.1 | |
ORGANIZATION_ID |
organization_id |
Organization ID of the Google Cloud organization | Yes | 2.1 | |
GROUPS_DOMAIN |
groups_domain |
Domain to use for JIT groups, this can be the primary or a secondary domain | No | 2.0 | |
RESOURCE_CACHE_TIMEOUT |
- | Duration (in seconds) for which to cache policy documents. | No | 5 | 2.0 |
APPROVAL_TIMEOUT |
- | Duration (in minutes) for approval requests to remain valid. | No | 60 | 2.0 |
Email options
The following options let you customize how JIT Groups sends emails.
| Name | Terraform variable | Description | Required | Default | Available since |
|---|---|---|---|---|---|
SMTP_SENDER_NAME |
- | Name used as sender name in notifications. | No | JIT Groups |
1.2 |
SMTP_SENDER_ADDRESS |
smtp_user |
Email address to use for notifications. | Yes | 1.2 | |
SMTP_HOST |
smtp_host |
SMTP server to use for delivering notifications. | No | smtp.gmail.com |
1.2 |
SMTP_PORT |
- | SMTP port to use for delivering notifications, see remarks below. | No | 587 |
1.2 |
SMTP_USERNAME |
smtp_user |
Username for SMTP authentication (optional, only required if your SMTP requires authentication). | No | 1.2 | |
SMTP_SECRET |
(automatic) | Path to a Secrets Manager secret that contains the password for SMTP authentication. | No | 1.4 | |
SMTP_ADDRESS_MAPPING |
- | Expression for deriving a user's email address, see Email address mapping. | No | 2.0 | 1.7 |
SMTP_ENABLE_STARTTLS |
- | Enable StartTLS (required by most mail servers). | No | true |
1.2 |
SMTP_OPTIONS |
- | Comma-separated list of additional JavaMail options for delivering email, see remarks. | No | 1.2 | |
NOTIFICATION_TIMEZONE |
- | Timezone to use for dates in notification emails, for example Australia/Melbourne or Europe/Berlin. |
No | 1.2 |
Remarks:
- JIT Groups uses port
587by default because port 25 can't be used on Google Cloud. - For a list of JavaMail options to use in
SMTP_OPTIONS, see JavaMail documentation . Most mail servers don't require any additional options. - For a list of time zone identifiers, see the IANA Time Zone Database (TZDB)
Email address mapping
By default, JIT Groups assumes that all Cloud Identity/Workspace user IDs (such as alice@example.com) are valid email addresses, and can be used to deliver email notifications.
If some or all of your Cloud Identity/Workspace user IDs do not correspond to valid email addresses,
you can use SMTP_ADDRESS_MAPPING to specify a CEL expression that derives a valid email address from the user ID.
CEL expressions can use the following macros and functions:
- Standard macros
such as
filter,map, ormatches(for RE2 regular expressions). - String functions
such as
replace,substring, ortrim. - Encoder functions
such as
base64.encodeandbase64.decode. extract
Examples:
-
The following CEL expression replaces the domain
example.comwithtest.example.comfor all users:user.email.extract('{handle}@example.com') + '@test.example.com' -
The following CEL expression substitutes the domain
external.example.comwithotherdomain.example, but keeps all other domains:user.email.endsWith('@external.example.com') ? user.email.extract('{handle}@external.example.com') + '@otherdomain.example' : user.email
Networking options
| Name | Description | Required | Default | Available since |
|---|---|---|---|---|
IAP_VERIFY_AUDIENCE |
Enable audience verification, see remarks. | No | true |
1.8.1 |
IAP_BACKEND_SERVICE_ID |
ID of the load balancer backend, see remarks. | No | 1.3 | |
BACKEND_CONNECT_TIMEOUT |
Connection timeout for Google API requests, in seconds. | No | 5 |
1.5 |
BACKEND_READ_TIMEOUT |
Read timeout for Google API requests, in seconds. | No | 20 |
1.5 |
BACKEND_WRITE_TIMEOUT |
Write timeout for Google API requests, in seconds. | No | 5 |
1.5 |
Remarks:
-
When
IAP_VERIFY_AUDIENCEistrue(default), JIT Groups verifies the audience of IAP assertions . On Cloud Run, this requiresIAP_BACKEND_SERVICE_IDto contain the backend ID of the load balancer.When
IAP_VERIFY_AUDIENCEisfalseJIT Groups verifies the authenticity of IAP assertions, but does not verify their audience.
Compatibility
The following options let you configure compatibility with JIT Access 1.x. The options only affect groups in the
classic environment.
| Name | Terraform attribute | Description | Required | Default | Available since |
|---|---|---|---|---|---|
RESOURCE_SCOPE |
resource_scope |
Details | No | - | 2.0 |
RESOURCE_CATALOG |
- | Details | No | AssetInventory |
2.0 |
ACTIVATION_TIMEOUT |
- | Details | No | - | 2.0 |
JUSTIFICATION_HINT |
- | Details | No | - | 2.0 |
JUSTIFICATION_PATTERN |
- | Details | No | - | 2.0 |
AVAILABLE_PROJECTS_QUERY |
- | Details | No | - | 2.0 |
The following options from JIT Access 1.x are not supported in JIT Groups:
ACTIVATION_REQUEST_MAX_ROLESACTIVATION_REQUEST_MIN_REVIEWERSACTIVATION_REQUEST_MAX_REVIEWERSNOTIFICATION_TOPIC