1.8.0

This release of Just-in-Time Access introduces the following new feature:

• Resource conditions: You can now specify additional resource conditions when granting eligible access to a project. Resource conditions are IAM conditions that let you limit the set of resources a role should apply to. (#66, co-authored by @rialg)

In addition, the release includes several stability improvements and fixes, including:

• Requesting multi-party approval for a role failed if ACTIVATION_TIMEOUT was set to 50 or below (#378)

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.7.0

This release of Just-in-Time Access introduces the following new features:

• New UI: JIT Access now uses a new, Material 3-based user interface.

• Expiry of activated roles: For activated roles, the user interface now indicates how much time you have left before the activation expires.

• Extending access: When you need a role for longer than originally anticipated, you can now request to extend your access. (#141)

• Health check endpoints: The application now implements liveness- and readiness endpoints that you can use to monitor the application. (#320)

• Email address rewriting: You can now customize how JIT Access determines email address for users by configuring a CEL function. This feature lets you deploy multi-party approval in environments where users have email addresses that differ from their Google usernames. (inspired by @mvo-dev)

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.6.0

This release of Just-in-Time Access introduces the following new features:

• You can now use JIT Access without the Policy Analyzer API. (#193)

  Previous versions of JIT Access exclusively relied on the Policy Analyzer API to find eligible role bindings. To better support environments that can't use the Policy Analyzer API because of quota restrictions, JIT Access 1.6 introduces an alternate catalog implemenation, AssetInventory, that uses the effectiveIamPolicies.batchGet API instead.

  For more information about switching between catalog implementations, see Configure catalogs.

• The list of roles in the user interface is now sorted and the UI better adapts to the window size of your browser.

  This feature was contributed by @abdolence in #213.

• Improved performance for activating multiple roles at once. (#221)

In addition, the release includes several stability improvements and fixes, including:

• Approving requests failed for users that were both, JIT- and MPA-eligible for the requested role (b/295100577).

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.5.0

This release of Just-in-Time Access introduces the following new features:

• You can now let JIT Access publish notification messages to Pub/Sub when certain events occur. Other applications can consume these messages to implement additional logic, such as posting to chat rooms or triggering custom workflows.

  This feature was contributed by @eeeeethan2333, @mjstatham, and @zhangran1.

• You can now modify the behavior of the project-autocompleter and let it perform a search instead of a Policy Analyzer query to determine suggestions. This method results in non-personalized suggestions, but can be significantly faster.

  This feature was contributed by @abdolence in #201.

• You can now adjust the maximum number of roles that users can activate at once by using the ACTIVATION_REQUEST_MAX_ROLES configuration option. Previously, the number of roles was limited to 10.

• Audit log messages now include the duration for which a role has been activated.

  This feature was contributed by @bschaatsbergen in #187.

• The Open console button on the confirmation page now links to the project for which you activated a role.

  This feature was contributed by @patriknordlen in #161.

In addition, the release includes several stability improvements and fixes, including:

• When calling the Policy Analyzer API, the application used a fixed timeout of 20 seconds. This timeout proved to be too short in certain cases. You can now customize these timeouts.
• The container used in Cloud Run now uses Debian 12 (contributed by @SCKelemen) and performs a clean build (contributed by @hahomdal in #160).

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.4.1

This release of Just-in-Time Access introduces the following new features:

• You can now configure the maximum number of roles that users can activate at once
  by configuring ACTIVATION_REQUEST_MAX_ROLES. Previously, JIT Access only allwed users to activate 10 roles at a time. (#83)
• You can link to JIT Access and have it preselect a project by adding a query parameter projectId= to the URL. (#130)
• The dialog step for selecting approvers now includes a select all option. (#59)
• The footer now shows the version number of the application. (#130)

In addition, the release includes several stability improvements and fixes, including:

• When deployed on Cloud Run, links in approval emails used http:// instead of https://
• When attempting to activate a role that is defined outside the scope of JIT Access or can't
  be granted on a project, JIT Access showed a generic, non-actionable error.

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.4.0

Release 1.4 of Just-in-Time Access introduces the following new features:

• The user interface now lets you select all roles or all peers with a single click (#59)
• You can now choose the duration for which to activate a role, between 5 minutes and the maximum duration specified by ACTIVATION_TIMEOUT (#52)
• For roles that require multi-party approval, you can now configure a miniumum and maximum number of reviewers that users must include in the approval process (see ACTIVATION_REQUEST_MIN_REVIEWERS, ACTIVATION_REQUEST_MAX_REVIEWERS) (#55 )
• Instead of configuring SMTP credentials in clear-text, you can now configure JIT Access to read the credentials from Secret Manager (see SMTP_SECRET) (#50)

In addition, the release includes several stability improvements and fixes, including:

• When using multi-party approval, approving a request failed if you previously activated the same role for youself.

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.3.0

This is release 1.3 of Just-in-Time Access.

This release introduces the following new features:

• Deploy on Cloud Run: JIT Access now supports both Cloud Run and App Engine as deployment targets. (Contributed by adriantr).

In addition, the release includes several stability improvements and fixes, including:

• The application now handles empty IAM conditions correctly (Fix contributed by es)
• When a role is granted twice (with the same or different constraints), the application now properly removes duplicates.

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.2.0

This is release 1.2 of Just-in-Time Access.

This release introduces the following new features:

• Multi-party approval: When granting eligible access, you can now decide whether to allow users to activate the access by themselves (self-approval), or whether they need approval from another user (multi-party approval). Multi-party approval is an optional feature and uses email to notify users about pending or approved access requests. For mode details on configuring multi-party approval, see Configure multi-party approval.

In addition, the release includes several stability improvements and fixes.

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

1.1.0

This is release 1.1 of Just-in-Time Access.

This release introduces the following new features:

• Inherited role bindings: You can now grant a user (or group) eligible access to a folder or an entire organization. Users can then activate access for each project in the folder (or organization) individually.
• New user interface: The application now uses a new, Material design-based user interface.
• Quicker deployment: The application now uses fewer dependencies and, as a result, is quicker to deploy.

In addition, the release includes several stability improvements and fixes, including:

• In some cases, either due to stale browser caches or an expired sign-in session, the frontend showed Loading... instead of redirecting to the sign-in screen.

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.