{
	"id": "18ae31ee-72ef-4d55-8edb-f092f20c30df",
	"created_at": "2026-04-06T00:09:17.607328Z",
	"updated_at": "2026-04-10T03:21:24.284811Z",
	"deleted_at": null,
	"sha1_hash": "720da0bab9ca2ecce89f6114751c5b6e8797001b",
	"title": "Deploy or upgrade JIT Access",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 238024,
	"plain_text": "Deploy or upgrade JIT Access\r\nArchived: 2026-04-05 17:37:23 UTC\r\nThis article describes how you can deploy the Just-In-Time Access application (or JIT Access for short) to App\r\nEngine or Cloud Run.\r\nDeploying the Just-In-Time Access application to Cloud Run requires a more complex configuration than\r\ndeploying the application to App Engine. We therefore recommend that you use App Engine unless you're\r\ndeploying in a region\r\nthat doesn't support App Engine, or if you can't use App Engine for other reasons.\r\nThis section assumes that you are an administrator.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 1 of 27\n\nConfigure your Google Cloud project\r\n1. In the Cloud Console, switch to your project and enable required APIs:\r\nEnable the Cloud Asset Inventory, Resource Manager, Identity-Aware Proxy, Container Registry, Cloud\r\nBuild, Identity and Access Management, and Directory APIs.\r\nEnable the APIs\r\nEnable the Cloud Asset Inventory, Resource Manager, Identity-Aware Proxy, Container Registry, Cloud\r\nRun, Compute Engine, Identity and Access Management, and Directory APIs.\r\nEnable the APIs\r\n2. Open Cloud Shell.\r\nOpen Cloud Shell\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 2 of 27\n\n3. Set an environment variable to contain your project ID\r\n:\r\ngcloud config set project PROJECT_ID\r\nReplace PROJECT_ID with the ID of your project.\r\n4. Create a service account for the Just-in-Time Access application:\r\nSERVICE_ACCOUNT=$(gcloud iam service-accounts create jitaccess --display-name \"Just-In-Time Access\" --fo\r\n5. Allow the application to create tokens using its service account by granting it the Service Account Token\r\nCreator role ( roles/iam.serviceAccountTokenCreator ):\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 3 of 27\n\ngcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT \\\r\n --member \"serviceAccount:$SERVICE_ACCOUNT\" \\\r\n --role \"roles/iam.serviceAccountTokenCreator\"\r\nThe application uses the permission to create tokens to access the Directory API and, optionally, to handle\r\nmulti-party approval workflows.\r\nGrant the Just-in-Time Access application permission to manage IAM bindings\r\nYou now grant the Project IAM Admin role to the application's service account. This role lets the Just-In-Time\r\nAccess application create temporary IAM bindings when it must grant just-in-time access.\r\nBecause the Project IAM Admin role is highly privileged, you must limit access to the application's service\r\naccount and to the project that contains it.\r\nUse the following guidelines:\r\nLimit the number of users that can access the project, and avoid granting any user the Owner or Editor\r\nrole.\r\nLimit the number of users that can impersonate the service account. The users who should be able to do\r\nthis impersonation include those who have the Service Account User role or the Service Account Token\r\nCreator role.\r\nTo grant the Project IAM Admin role to the service account, do the following:\r\n1. Grant the Project IAM Admin role ( roles/resourcemanager.projectIamAdmin ) and Cloud Asset Viewer\r\nrole ( roles/cloudasset.viewer ) to the part of your resource hierarchy that you want to manage just-in-time privileged access for:\r\nSCOPE_ID=RESOURCE_PROJECT_ID\r\nSCOPE_TYPE=projects\r\ngcloud projects add-iam-policy-binding $SCOPE_ID \\\r\n --member \"serviceAccount:$SERVICE_ACCOUNT\" \\\r\n --role \"roles/resourcemanager.projectIamAdmin\" \\\r\n --condition None\r\ngcloud projects add-iam-policy-binding $SCOPE_ID \\\r\n --member \"serviceAccount:$SERVICE_ACCOUNT\" \\\r\n --role \"roles/cloudasset.viewer\" \\\r\n --condition None\r\nReplace RESOURCE_PROJECT_ID with the ID of the Google Cloud project that you want to manage\r\naccess for. This project is a different one than the one you're deploying Just-In-Time Access to.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 4 of 27\n\nSCOPE_ID=RESOURCE_FOLDER_ID\r\nSCOPE_TYPE=folders\r\ngcloud resource-manager folders add-iam-policy-binding $SCOPE_ID \\\r\n --member \"serviceAccount:$SERVICE_ACCOUNT\" \\\r\n --role \"roles/resourcemanager.projectIamAdmin\" \\\r\n --condition None\r\ngcloud resource-manager folders add-iam-policy-binding $SCOPE_ID \\\r\n --member \"serviceAccount:$SERVICE_ACCOUNT\" \\\r\n --role \"roles/cloudasset.viewer\" \\\r\n --condition None\r\nReplace RESOURCE_FOLDER_ID with the ID of the folder that contains the projects that you want to\r\nmanage access for.\r\nSCOPE_ID=ORGANIZATION_ID\r\nSCOPE_TYPE=organizations\r\ngcloud organizations add-iam-policy-binding $SCOPE_ID \\\r\n --member \"serviceAccount:$SERVICE_ACCOUNT\" \\\r\n --role \"roles/resourcemanager.projectIamAdmin\" \\\r\n --condition None\r\ngcloud organizations add-iam-policy-binding $SCOPE_ID \\\r\n --member \"serviceAccount:$SERVICE_ACCOUNT\" \\\r\n --role \"roles/cloudasset.viewer\" \\\r\n --condition None\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 5 of 27\n\nReplace ORGANIZATION_ID with the ID of your organization\r\n.\r\nGrant access to allow the application to resolve group memberships\r\nThe Just-In-Time Access application lets you grant eligible access to a specific user or to an entire group. To\r\nevaluate group memberships, the application must be allowed to read group membership information from your\r\nCloud Identity or Google Workspace account.\r\nTo grant the application's service account access permission to read group memberships, do the following:\r\n1. Open the Admin Console and sign in as a super-admin user.\r\n2. Go to Account \u003e Admin Roles:\r\nGo to Admin Roles\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 6 of 27\n\n3. Click Groups Reader \u003e Admins.\r\n4. Click Assign service accounts.\r\n5. Enter the following email address:\r\njitaccess@PROJECT_ID.iam.gserviceaccount.com\r\nReplace PROJECT_ID with the ID of your Google Cloud project.\r\n6. Click Add.\r\n7. Click Assign role.\r\nLook up your Cloud Identity or Google Workspace account's customer ID\r\nTo evaluate group memberships using the Directory API, the Just-In-Time Access application needs your Cloud\r\nIdentity or Google Workspace account's customer ID. To look up this ID, do the following:\r\n1. In the Admin Console, go to Account \u003e Account settings:\r\nGo to Account settings\r\n2. Copy your account's customer ID. The customer ID starts with C .\r\nYou need the customer ID in a later step.\r\n3. Close the Admin Console.\r\nDeploy the application\r\nYou're now ready to deploy the Just-In-Time Access application to App Engine or Cloud Run.\r\nTo deploy the Just-In-Time Access application to App Engine, you perform the following steps.\r\n1. In Cloud Shell, set an environment variable to contain your Cloud Identity or Google Workspace account's\r\ncustomer ID:\r\nACCOUNT_CUSTOMER_ID=CUSTOMER_ID\r\nReplace CUSTOMER_ID with the customer ID you looked up before.\r\n2. Create an App Engine application:\r\ngcloud app create --region LOCATION\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 7 of 27\n\nReplace LOCATION with a supported App Engine location\r\n.\r\n3. Grant the App Engine default service account the Artifact Registry Create-on-push Writer\r\n( roles/artifactregistry.createOnPushWriter ) and Storage Admin ( roles/storage.admin ) roles to\r\nallow App Engine to useArtifact Registry.\r\nPROJECT_ID=$(gcloud config get-value core/project)\r\ngcloud projects add-iam-policy-binding $PROJECT_ID \\\r\n --member \"serviceAccount:$PROJECT_ID@appspot.gserviceaccount.com\" \\\r\n --role \"roles/artifactregistry.createOnPushWriter\" \\\r\n --condition None\r\ngcloud projects add-iam-policy-binding $PROJECT_ID\\\r\n --member \"serviceAccount:$PROJECT_ID@appspot.gserviceaccount.com\" \\\r\n --role \"roles/storage.admin\" \\\r\n --condition None\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 8 of 27\n\n4. Clone the GitHub repository and switch to the latest branch:\r\ngit clone https://github.com/GoogleCloudPlatform/jit-groups.git\r\ncd jit-access/sources\r\ngit checkout latest\r\n5. Create a configuration file for the Just-In-Time Access application:\r\ncat \u003c\u003c EOF \u003e app.yaml\r\nruntime: java17\r\ninstance_class: F2\r\nservice_account: $SERVICE_ACCOUNT\r\nenv_variables:\r\n RESOURCE_SCOPE: $SCOPE_TYPE/$SCOPE_ID\r\n RESOURCE_CATALOG: AssetInventory\r\n RESOURCE_CUSTOMER_ID: $ACCOUNT_CUSTOMER_ID\r\n ACTIVATION_TIMEOUT: 60\r\n JUSTIFICATION_HINT: \"Bug or case number\"\r\n JUSTIFICATION_PATTERN: \".*\"\r\nEOF\r\nIn this configuration file, you can customize the values of the variables. For a list of settings, see the\r\nConfiguration options page in the associated GitHub repository.\r\n6. Deploy the application:\r\ngcloud app deploy --appyaml app.yaml\r\nTake note of the target url in the output. This will be the public URL of the Just-in-Time Access\r\napplication.\r\nIf you see the error message NOT_FOUND: Unable to retrieve P4SA , retry the command.\r\nTo deploy the Just-In-Time Access application to Cloud Run, you perform the following steps.\r\n1. In Cloud Shell, set an environment variable to contain your Cloud Identity or Google Workspace account's\r\ncustomer ID:\r\nACCOUNT_CUSTOMER_ID=CUSTOMER_ID\r\nReplace CUSTOMER_ID with the customer ID you looked up before.\r\n2. Select a region to deploy to:\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 9 of 27\n\ngcloud config set run/region REGION\r\nReplace REGION with a region that supports Cloud Run\r\n.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 10 of 27\n\n3. Create a backend service\r\n:\r\ngcloud compute backend-services create jitaccess-backend \\\r\n --load-balancing-scheme=EXTERNAL \\\r\n --global\r\nYou later use this backend service to configure a load balancer and Identity-Aware Proxy.\r\n4. Clone the GitHub repository and switch to the latest branch:\r\ngit clone https://github.com/GoogleCloudPlatform/jit-groups.git\r\ncd jit-access/sources\r\ngit checkout latest\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 11 of 27\n\n5. Build the application and push the container image to {{registry_name_short}}:\r\nPROJECT_ID=$(gcloud config get-value core/project)\r\ndocker build -t gcr.io/$PROJECT_ID/jitaccess:latest .\r\ndocker push gcr.io/$PROJECT_ID/jitaccess:latest\r\n6. Create a configuration file for the Just-In-Time Access application:\r\nPROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format 'value(projectNumber)')\r\nREGION=$(gcloud config get-value run/region)\r\nIAP_BACKEND_SERVICE_ID=$(gcloud compute backend-services describe jitaccess-backend --global --format 'va\r\ncat \u003c\u003c EOF \u003e app.yaml\r\napiVersion: serving.knative.dev/v1\r\nkind: Service\r\nmetadata:\r\n name: jitaccess\r\n namespace: $PROJECT_NUMBER\r\n labels:\r\n cloud.googleapis.com/location: $REGION\r\n annotations:\r\n run.googleapis.com/ingress: internal-and-cloud-load-balancing\r\nspec:\r\n template:\r\n spec:\r\n serviceAccountName: $SERVICE_ACCOUNT\r\n containers:\r\n - image: gcr.io/$PROJECT_ID/jitaccess:latest\r\n env:\r\n - name: RESOURCE_SCOPE\r\n value: \"$SCOPE_TYPE/$SCOPE_ID\"\r\n - name: RESOURCE_CATALOG\r\n value: \"AssetInventory\"\r\n - name: RESOURCE_CUSTOMER_ID\r\n value: \"$ACCOUNT_CUSTOMER_ID\"\r\n - name: ACTIVATION_TIMEOUT\r\n value: \"60\"\r\n - name: JUSTIFICATION_HINT\r\n value: \"Bug or case number\"\r\n - name: JUSTIFICATION_PATTERN\r\n value: \".*\"\r\n - name: IAP_BACKEND_SERVICE_ID\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 12 of 27\n\nvalue: \"$IAP_BACKEND_SERVICE_ID\"\r\nEOF\r\nIn this configuration file, you can customize the values of the variables. For a list of settings, see\r\nConfiguration options.\r\n7. Deploy the application:\r\ngcloud run services replace app.yaml\r\nConfigure a load balancer\r\nYou now configure a load balancer for the Just-In-Time Access application.\r\nApp Engine automatically configures the load balancer for you.\r\nConfigure a HTTPS load balancer for your Cloud Run service:\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 13 of 27\n\n1. Reserve a static external IP address\r\nfor the load balancer:\r\ngcloud compute addresses create jitaccess-ip --global\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 14 of 27\n\n2. Create a managed SSL certificate\r\nfor the load balancer:\r\ngcloud compute ssl-certificates create jitaccess \\\r\n --domains \u003cvar\u003ePUBLIC_FQDN\u003c/var\u003e \\\r\n --global\r\nwhere PUBLIC_FQDN is the public, fully qualified domain name (FQDN) that you want to use, for example\r\njitaccess.example.com .\r\n3. Look up the IP address of the load balancer:\r\ngcloud compute addresses describe jitaccess-ip \\\r\n --global \\\r\n --format=value\\(address\\)\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 15 of 27\n\n4. Create a DNS A record in your public DNS zone that points to the IP address of the load balancer. The\r\nfully qualified name of the DNS record must match the name that you used for the SSL certificate.\r\nNote: It can take multiple minutes or hours for the new DNS record to propagate. During this time, the\r\nmanaged SSL certificate can't be used. For details, see Troubleshooting Google-managed certificates\r\n.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 16 of 27\n\n5. Create a serverless network endpoint group\r\nfor the Cloud Run service and connect it to the backend service:\r\ngcloud compute network-endpoint-groups create jitaccess \\\r\n --region $(gcloud config get-value run/region) \\\r\n --network-endpoint-type=serverless \\\r\n --cloud-run-service jitaccess\r\ngcloud compute backend-services add-backend jitaccess-backend \\\r\n --global \\\r\n --network-endpoint-group jitaccess \\\r\n --network-endpoint-group-region $(gcloud config get-value run/region)\r\n6. Create a load balancer frontend that uses the external IP address and forwards traffic to the backend\r\nservice:\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 17 of 27\n\ngcloud compute url-maps create jitaccess \\\r\n --default-service jitaccess-backend\r\ngcloud compute target-https-proxies create jitaccess-proxy \\\r\n --ssl-certificates jitaccess \\\r\n --url-map jitaccess\r\ngcloud compute forwarding-rules create jitaccess-https \\\r\n --load-balancing-scheme EXTERNAL \\\r\n --address jitaccess-ip \\\r\n --target-https-proxy jitaccess-proxy \\\r\n --global \\\r\n --ports=443\r\nConfigure Identity-Aware Proxy\r\nYou now configure Identity-Aware Proxy for the Just-In-Time Access application.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 18 of 27\n\n1. In Cloud Shell, configure an OAuth consent screen\r\n:\r\ngcloud iap oauth-brands create \\\r\n --application_title \"Just-In-Time Access\" \\\r\n --support_email=$(gcloud config get core/account)\r\n2. In the Cloud Console, go to Security \u003e Identity-Aware Proxy.\r\nGo to Identity-Aware Proxy\r\n3. Set IAP to enabled.\r\nYou now must define which users are allowed to access the Just-In-Time Access application. You can grant access\r\nto individual users, to groups, or to an entire domain.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 19 of 27\n\n1. In the Cloud Console, go to IAM \u0026 Admin \u003e IAM.\r\nGo to IAM\r\n2. Click Grant access and then set the following values:\r\n1. In the principals list, select a user, group, or domain.\r\n2. In the role list, select IAP-secured web app user.\r\nThe IAP-secured web app user role lets users open the Just-In-Time Access application, but the role\r\ndoesn't provide them access to any additional resources yet.\r\n3. Click Save.\r\nIt can take a few minutes for the role binding to take effect.\r\nThe Identity-Aware Proxy configuration is now complete.\r\nTo complete the Identity-Aware Proxy configuration, grant the Cloud Run Invoker role ( roles/run.invoker ) to\r\nthe service agent that's used by Identity-Aware Proxy:\r\nPROJECT_NUMBER=$(gcloud projects list \\\r\n --filter $(gcloud config get-value project) \\\r\n --format \"value(PROJECT_NUMBER)\")\r\ngcloud projects add-iam-policy-binding $(gcloud config get-value core/project) \\\r\n --member \"serviceAccount:service-$PROJECT_NUMBER@gcp-sa-iap.iam.gserviceaccount.com\" \\\r\n --role \"roles/run.invoker\"\r\nTest Just-in-Time Access\r\nYou can now test the process of granting eligible access and the process of using the Just-In-Time Access\r\napplication to activate eligible access.\r\nGrant eligible access\r\nTo start, you grant eligible access to a second Cloud Identity or Google Workspace user.\r\n1. In the Cloud Console, use the project list to select a project that's part of the resource hierarchy that's\r\nmanaged by the Just-In-Time Access application.\r\n2. On the IAM page, click Grant access.\r\n3. Enter the email address of your second Cloud Identity or Google Workspace user and select a role such as\r\nProject \u003e Browser.\r\n4. Click Add condition.\r\n5. Enter a title such as Eligible for JIT access .\r\n6. Select Condition editor and then enter the following CEL expression:\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 20 of 27\n\nhas({}.jitAccessConstraint)\r\n7. Save your changes.\r\nActivate access\r\nNow you can switch users and request temporary access to a resource.\r\n1. Open an incognito browser window and navigate to the URL of the Just-In-Time Access application that\r\nyou noted earlier.\r\n2. Sign in as the user that you've granted eligible access to.\r\n3. In the Just-In-Time Access application, select a role and resource that you want to activate access for.\r\n4. Enter a justification such as testing and then click Request access.\r\nOn the next page, notice that your access has temporarily been activated.\r\nAnalyze logs\r\nYou can now switch back to your administrative user and review the log.\r\n1. In the Cloud Console, go to Logging \u003e Logs Explorer.\r\nGo to Cloud Logging\r\n2. Set Show query to enabled.\r\n3. Enter the following query:\r\nlabels.event=\"api.activateRole\"\r\n4. Click Run query.\r\nThe output is similar to the following:\r\n{\r\n\"textPayload\": \"User EMAIL activated role 'ROLE' on '//cloudresourcemanager.googleapis.com/projects/PROJE\r\n\"severity\": \"INFO\",\r\n\"labels\": {\r\n \"resource\": \"//cloudresourcemanager.googleapis.com/projects/PROJECT_ID\",\r\n \"event\": \"api.activateRole\",\r\n \"role\": \"ROLE\",\r\n \"clone_id\": \"00c6...\",\r\n \"user\": \"EMAIL\",\r\n \"justification\": \"testing\",\r\n ...\r\n },\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 21 of 27\n\n...\r\n}\r\nNotice that a log record has been created for each role you activated. The log record includes a set of labels\r\nthat you can use to create custom filters.\r\nUpgrade Just-in-Time Access\r\nThis section describes how you can upgrade an existing Just-In-Time Access deployment to use a newer version of\r\nthe application, or to use a different configuration.\r\nThis section assumes that you are an administrator.\r\n1. In the Cloud Console, switch to your project and then open Cloud Shell.\r\nOpen Cloud Shell\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 22 of 27\n\n2. Set an environment variable to contain your project ID\r\n:\r\ngcloud config set project PROJECT_ID\r\nReplace PROJECT_ID with the ID of your project.\r\n3. Clone the GitHub repository and switch to the latest branch:\r\ngit clone https://github.com/GoogleCloudPlatform/jit-groups.git\r\ncd jit-groups/sources\r\ngit checkout latest\r\n4. Download the configuration file that you used previously to deploy the application and save it to a file\r\napp.yaml :\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 23 of 27\n\nAPPENGINE_VERSION=$(gcloud app versions list --service default --hide-no-traffic --format \"value(version\r\nAPPENGINE_APPYAML_URL=$(gcloud app versions describe $APPENGINE_VERSION --service default --format \"value\r\ncurl -H \"Authorization: Bearer $(gcloud auth print-access-token)\" $APPENGINE_APPYAML_URL -o app.yaml\r\ncat app.yaml\r\nIf downloading the file app.yaml fails, you can download your current configuration in the Cloud\r\nConsole.\r\ngcloud config set run/region REGION\r\ngcloud run services describe jitaccess --format yaml \u003e app.yaml\r\nReplace REGION with the region that contains your existing Cloud Run deployment.\r\n5. If you want to make changes to your configuration, edit the app.yaml file. For a list of settings, see the\r\nConfiguration options page in the associated GitHub repository.\r\n6. Deploy the application:\r\nsed -i 's/java11/java17/g' app.yaml\r\ngcloud app deploy --appyaml app.yaml\r\nPROJECT_ID=$(gcloud config get-value core/project)\r\ndocker build -t gcr.io/$PROJECT_ID/jitaccess:latest .\r\ndocker push gcr.io/$PROJECT_ID/jitaccess:latest\r\nIMAGE=$(docker inspect --format='\u0026#123;{index .RepoDigests 0}}' gcr.io/$PROJECT_ID/jitaccess)\r\nsed -i \"s|image:.*|image: $IMAGE|g\" app.yaml\r\ngcloud run services replace app.yaml\r\nWhat's next\r\nConfigure multi-party approval.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 24 of 27\n\nLearn how you can use context-aware access to secure access to Just-In-Time Access\r\n.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 25 of 27\n\nRead more about IAM conditions\r\n.\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 26 of 27\n\nConfigure a custom domain for the Just-In-Time Access application\r\n.\r\nSource: https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nhttps://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project\r\nPage 27 of 27\n\n https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project  \ngcloud config set run/region REGION \nReplace REGION with a region that supports Cloud Run\n.   \n   Page 10 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project"
	],
	"report_names": [
		"manage-just-in-time-privileged-access-to-project"
	],
	"threat_actors": [],
	"ts_created_at": 1775434157,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/720da0bab9ca2ecce89f6114751c5b6e8797001b.pdf",
		"text": "https://archive.orkl.eu/720da0bab9ca2ecce89f6114751c5b6e8797001b.txt",
		"img": "https://archive.orkl.eu/720da0bab9ca2ecce89f6114751c5b6e8797001b.jpg"
	}
}