jit-access icon indicating copy to clipboard operation
jit-access copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Clean up expired bindings

Open lnrdll opened this issue 2 years ago • 3 comments

While it might seem like a long shot, this issue primarily stems from the API and not this tool. Nevertheless, it's valuable to engage in a discussion regarding this matter and explore potential solutions.

When a temporary IAM binding is established, it appears in GCP's IAM view, complete with the condition name in the 'Conditions' column. The underlying 'problem' arises when these temporary bindings expire; they persist in the IAM view, potentially causing the list to grow significantly. Here's an example of an expired binding that remains visible in the IAM list:

Screenshot 2023-09-06 4 39 14 PM

I recall from a different issue thread that the intentional absence of a database was a deliberate design choice, driven by security considerations. A database would simplify the cleanup process. However, even though this issue is primarily related to the API and not the JIT tool, is there a way to address it within the application itself?

  • Could the application, for instance, store a local file to keep track of projects requiring cleanup?
  • Or could it publish project IDs to a Pub/Sub, allowing a background job to check for expired bindings?
  • Another possibility is for the application to retain this information in memory.

lnrdll avatar Sep 08 '23 21:09 lnrdll

You're right that expired IAM bindings cause some clutter. FWIW, the application does purge expired bindings if a user requests the same role again -- so there's a limit to how many of these expired role bindings you can possibly accumulate in an IAM policy.

Or could it publish project IDs to a Pub/Sub, allowing a background job to check for expired bindings?

There was a PR attempting to do just that, but I'd have to follow up what the status is.

jpassing avatar Sep 12 '23 01:09 jpassing

There https://github.com/GoogleCloudPlatform/jit-access/pull/97, but I'd have to follow up what the status is.

#154 will add Pub/Sub integration

jpassing avatar Sep 13 '23 05:09 jpassing

There #97, but I'd have to follow up what the status is.

#154 will add Pub/Sub integration

And after this pub/sub integration, I'm planning to provide pubsub consumer example to clean up the roles.

eeeeethan2333 avatar Sep 15 '23 02:09 eeeeethan2333