Privileged Access Management
Background
Section titled “Background”By default, GitLab Team Members have no access to GCP resources created by Runway provisioner. PAM (Privileged Access Management) allows users to temporarily escalate their access by requesting an entitlement for a given duration.
When to escalate
Section titled “When to escalate”Refer to cells breakglass documentation on when to escalate.
Who can escalate
Section titled “Who can escalate”By default the following groups are able to escalate:
group:[email protected]forproject_readgroup:[email protected]forproject_read,project_adminandbreakglassgroup:[email protected]forproject_read,project_adminandbreakglassgroup:[email protected]forproject_read,project_adminandbreakglass
Refer to the provisioner for the default list of principals.
Service owners can configure additional principals by using the pam_config field when configuring the GCP project group in the inventory.yml.
How to escalate
Section titled “How to escalate”Google provides guides to request access through the console
and through the gcloud CLI.
PROJECT_GROUP refers to the name set in gcp_project_groups field of the inventory.yml of the provisioner project. ENV is either stg for staging or prod for production.
Search for valid entitlements with gcloud:
gcloud pam entitlements search \ --caller-access-type=grant-requester \ --location=global \ --project=gitlab-runway-${PROJECT_GROUP}-${ENV}project_read
Section titled “project_read”This entitlement provides the ability to view resources within a project scope. e.g. view the Cloud Run console for metrics and logs.
This entitlement grants the default project_read roles and additional runway-related roles.
- Get access with
gcloud:
gcloud pam grants create \ --entitlement=readonly-entitlement-gitlab-runway-topo-svc-stg \ --requested-duration="3600s" \ --justification="$ISSUE_LINK" \ --location=global \ --project=gitlab-runway-${PROJECT_GROUP}-${ENV}project_admin
Section titled “project_admin”Admin access provides typical operational abilities for managing runway infrastructure. This level of access requires an approver, and typically will also link to an issue detailing why the access is required.
We should prefer making changes through IaC wherever possible.
This entitlement grants the default project_read roles, additional runway-related readonly roles and runway-related readwrite roles.
- Get access with
gcloud:
gcloud pam grants create \ --entitlement=readwrite-entitlement-gitlab-runway-topo-svc-stg \ --requested-duration="3600s" \ --justification="$ISSUE_LINK" \ --location=global \ --project=gitlab-runway-${PROJECT_GROUP}-${ENV}breakglass
Section titled “breakglass”Breakglass provides the same level of access as the project_admin entitlement. This entitlement should only by used as a last resort during an incident response when there is low team member availability to speed up incident response.
- Get access with
gcloud:
gcloud pam grants create \ --entitlement=breakglass-entitlement-gitlab-runway-topo-svc-stg \ --requested-duration="3600s" \ --justification="$ISSUE_LINK" \ --location=global \ --project=gitlab-runway-${PROJECT_GROUP}-${ENV}