2.1.0

This release of JIT Groups introduces the following new features for managing policies:

• You can now configure groups to grant folder- or organizartion-level access.
• Access control lists now support the following additional principal identifiers:
  • domain:DOMAIN to grant (or deny) access to all users of a specific Cloud Identity/Workspace account
  • class:internalUsers: to grant (or deny) access to all users of your Cloud Identity/Workspace account
  • class:externalUsers: to deny access to all external users, including consumer accounts

The release also improves the user interface:

• The user interface now includes links to view group details in the Cloud Console, Admin Console, or Google Groups, and a link to the group's audit log.
• When viewing a policy document, JIT Groups now returns the original document -- including its original formatting and comments.
• When validating a policy document, JIT Groups now lints your IAM conditions and verifies the names of predefined roles.

In addition, the release includes several stability improvements and fixes, including:

• Notification emails now render properly in classic Outlook

To deploy or upgrade JIT Groups in your environment, see Deploy JIT Groups and use the branch jitgroups/latest. To upgrade from an older version of JIT Access, see Upgrade from JIT Access.

2.0.0

This is the initial release of JIT Groups, an application that lets you implement secure, self-service access management for Google Cloud using groups. JIT Groups is based on, and supersedes JIT Access.

• For details on how JIT Groups differs from JIT Access and Privileged Access Manager, see JIT Access vs Privileged Access Manager, and what's next for JIT Acces
• To deploy JIT Groups in your environment, see Deploy JIT Groups
• To upgrade from JIT Access, see Upgrade from JIT Access

Note: To maintain backward compatibility, the latest branch continues to point to the last JIT Access release, which is currently 1.8.1. To deploy the latest JIT Groups release, use the branch jitgroups/latest.

1.8.1

This release of Just-in-Time Access introduces the following new feature:

• Option to control IAP Audience verification: You can now control whether JIT Access should verify the audience of IAP assertions by using the IAP_VERIFY_AUDIENCE configuration option. Audience verification is enabled by default (as it used to be), but can now be disabled to simplify automated deployments. #450

In addition, the release includes several stability improvements and fixes, including:

• Long role names weren't properly wrapped in notification emails. #439
• When initiating a multi-party approval request, JIT Access now checks whether the selected reviewer holds the requested role at the time of request. This is in addition to the existing check that's performed at the time of approval. #421

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.8.0

This release of Just-in-Time Access introduces the following new feature:

• Resource conditions: You can now specify additional resource conditions when granting eligible access to a project. Resource conditions are IAM conditions that let you limit the set of resources a role should apply to. (#66, co-authored by @rialg)

In addition, the release includes several stability improvements and fixes, including:

• Requesting multi-party approval for a role failed if ACTIVATION_TIMEOUT was set to 50 or below (#378)

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.7.0

This release of Just-in-Time Access introduces the following new features:

• New UI: JIT Access now uses a new, Material 3-based user interface.

• Expiry of activated roles: For activated roles, the user interface now indicates how much time you have left before the activation expires.

• Extending access: When you need a role for longer than originally anticipated, you can now request to extend your access. (#141)

• Health check endpoints: The application now implements liveness- and readiness endpoints that you can use to monitor the application. (#320)

• Email address rewriting: You can now customize how JIT Access determines email address for users by configuring a CEL function. This feature lets you deploy multi-party approval in environments where users have email addresses that differ from their Google usernames. (inspired by @mvo-dev)

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.6.0

This release of Just-in-Time Access introduces the following new features:

• You can now use JIT Access without the Policy Analyzer API. (#193)

  Previous versions of JIT Access exclusively relied on the Policy Analyzer API to find eligible role bindings. To better support environments that can't use the Policy Analyzer API because of quota restrictions, JIT Access 1.6 introduces an alternate catalog implemenation, AssetInventory, that uses the effectiveIamPolicies.batchGet API instead.

  For more information about switching between catalog implementations, see Configure catalogs.

• The list of roles in the user interface is now sorted and the UI better adapts to the window size of your browser.

  This feature was contributed by @abdolence in #213.

• Improved performance for activating multiple roles at once. (#221)

In addition, the release includes several stability improvements and fixes, including:

• Approving requests failed for users that were both, JIT- and MPA-eligible for the requested role (b/295100577).

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.5.0

This release of Just-in-Time Access introduces the following new features:

• You can now let JIT Access publish notification messages to Pub/Sub when certain events occur. Other applications can consume these messages to implement additional logic, such as posting to chat rooms or triggering custom workflows.

  This feature was contributed by @eeeeethan2333, @mjstatham, and @zhangran1.

• You can now modify the behavior of the project-autocompleter and let it perform a search instead of a Policy Analyzer query to determine suggestions. This method results in non-personalized suggestions, but can be significantly faster.

  This feature was contributed by @abdolence in #201.

• You can now adjust the maximum number of roles that users can activate at once by using the ACTIVATION_REQUEST_MAX_ROLES configuration option. Previously, the number of roles was limited to 10.

• Audit log messages now include the duration for which a role has been activated.

  This feature was contributed by @bschaatsbergen in #187.

• The Open console button on the confirmation page now links to the project for which you activated a role.

  This feature was contributed by @patriknordlen in #161.

In addition, the release includes several stability improvements and fixes, including:

• When calling the Policy Analyzer API, the application used a fixed timeout of 20 seconds. This timeout proved to be too short in certain cases. You can now customize these timeouts.
• The container used in Cloud Run now uses Debian 12 (contributed by @SCKelemen) and performs a clean build (contributed by @hahomdal in #160).

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.4.1

This release of Just-in-Time Access introduces the following new features:

• You can now configure the maximum number of roles that users can activate at once
  by configuring ACTIVATION_REQUEST_MAX_ROLES. Previously, JIT Access only allwed users to activate 10 roles at a time. (#83)
• You can link to JIT Access and have it preselect a project by adding a query parameter projectId= to the URL. (#130)
• The dialog step for selecting approvers now includes a select all option. (#59)
• The footer now shows the version number of the application. (#130)

In addition, the release includes several stability improvements and fixes, including:

• When deployed on Cloud Run, links in approval emails used http:// instead of https://
• When attempting to activate a role that is defined outside the scope of JIT Access or can't
  be granted on a project, JIT Access showed a generic, non-actionable error.

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.4.0

Release 1.4 of Just-in-Time Access introduces the following new features:

• The user interface now lets you select all roles or all peers with a single click (#59)
• You can now choose the duration for which to activate a role, between 5 minutes and the maximum duration specified by ACTIVATION_TIMEOUT (#52)
• For roles that require multi-party approval, you can now configure a miniumum and maximum number of reviewers that users must include in the approval process (see ACTIVATION_REQUEST_MIN_REVIEWERS, ACTIVATION_REQUEST_MAX_REVIEWERS) (#55 )
• Instead of configuring SMTP credentials in clear-text, you can now configure JIT Access to read the credentials from Secret Manager (see SMTP_SECRET) (#50)

In addition, the release includes several stability improvements and fixes, including:

• When using multi-party approval, approving a request failed if you previously activated the same role for youself.

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.

1.3.0

This is release 1.3 of Just-in-Time Access.

This release introduces the following new features:

• Deploy on Cloud Run: JIT Access now supports both Cloud Run and App Engine as deployment targets. (Contributed by adriantr).

In addition, the release includes several stability improvements and fixes, including:

• The application now handles empty IAM conditions correctly (Fix contributed by es)
• When a role is granted twice (with the same or different constraints), the application now properly removes duplicates.

For instructions on deploying or upgrading JIT Access, see Manage just-in-time privileged access to projects on the Google Cloud website.

Note: The latest branch always contains the latest release. Avoid using the master branch as it might contain changes that aren't ready for use yet.