How to request access to Google Cloud resources via Entitle:
Entitle is available through a Slack integration as well as web interface.
Web Interface
- The webapp is available here
- You can login via your Google Workspace account
- Clicking on “New Request” in the top left corner will take you to the request form
- Please see request form details below
Slack Interface
- Slack interface is available by typing /entitle or /access_request in any slack window
There are three types of requests in the form.
Search for Permission Request:
This search engine allows you to lookup roles and resources without having to specify the application or integration that the role/resource belongs to.
- Issuing a Slack command will show you this popup:
OR web interface form will look like this
- Search for Permission request type is the default choice
- “Search Permission”: This is where you would type in search terms for your request:
- You can type in a project name to see what Roles you can request
- You can type in a particular Role to see which resources you can request it on
- You can also combine and type in Role and Project together to narrow down your search.
- Permission Duration: is the amount of time you will need this access for. This will ensure that once you are finished with your necessary task, the permissions are revoked to keep our systems more secure.
- Add Justification: This is a very important step. Without proper justification for your access, your request will be denied. This is necessary for audit and reporting purposes. Please reference a customer ticket, a jira ticket, or any other relevant information that justifies your need for access to the resource.
NOTE: this feature is still in Beta so results may vary. If you do not see the expected results, please use the other two request methods.
Permission Sets Request:
Permission Sets are Entitle’s way of grouping necessary permissions together for a certain task. These are custom built based on team requests and frequency of use. To request a custom built set, please reach out to the Security team. To request permissions via a Bundle, follow these steps:
-
Issue /entitle or /access_request command in slack and you will see the following popup if you choose Permission Sets from Request Type dropdown
OR if you click “I want a permission set” on the bottom of the web interface form
- “Permission set category” is optional but narrows your list of available Bundles. You can leave this field blank if you want to see all the available Bundles
- “Permission Set” are custom created grouped permissions for easy request submission. These are created so that a teammate who may need access to multiple resources for a particular task can request it in one submission vs making multiple requests. If a Permission Set describes the type of access you require, you can select it.
- If there isn’t one that fits your need and you think that you will benefit from a custom permission set, please reach out to security team.
- Permission Duration: is the amount of time you will need this access for. This will ensure that once you are finished with your necessary task, the permissions are revoked to keep our systems more secure.
- Add Justification: This is a very important step. Without proper justification for your access, your request will be denied. This is necessary for audit and reporting purposes. Please reference a customer ticket, a jira ticket, or any other relevant information that justifies your need for access to the resource.
Specific Permission Request:
This option allows for granular access requests to only necessary data/instances. To request permission to a specific resource follow these steps:
-
Issue /entitle or /access_request command in slack and choose Specific Permission from Request Type. you will see the following popup
Or if you click “I want a specific permission” on the bottom of the web interface form
- Next you will choose the integration you need access to. Based on your team and division, you will see specific options. In this guide we will focus on GCP. You have two options
- GCP Development Projects: All projects not containing customer data
- GCP Production Projects: Customer Instances and other production level projects
- Resource Type: This is a list of resource types available for the integration chosen. In case of GCP, you will see options such as “projects”, “instances”, “buckets” as well as other options. This drop down is optional but allows you to narrow down the search results
- Resource: This is where you will choose the resource you want access to. This can be a project, a bucket, sql_instance, or an instance amongst other options. The drop down has a scroll limit so searching by the name of the project the resource resides within will make it easier to find the correct resource.
- Role: for GCP this will list out all the roles available to be assigned to you for the resource chosen. Again, search for the role that you think you will need on the resource to make it easier. You can find more information on GCP Roles here
- Grant Method: choose direct.
- Permission Duration: is the amount of time you will need this access for. This will ensure that once you are finished with your necessary task, the permissions are revoked to keep our systems more secure.
- Add Justification: This is a very important step. Without proper justification for your access, your request will be denied. This is necessary for audit and reporting purposes. Please reference a customer ticket, a jira ticket, or any other relevant information that justifies your need for access to the resource.
FAQ
How do I start using Entitle?
- Just type in “/entitle” into a slack message and you can get started with it.
How do I know which project is where?
-
Here is the project mapping. For access to Cloud (Managed Instances), please visit go/cloud-ops
-
Please let Security Team know if there is a project missing that you want included in the mapping
What if there is an incident and I need access?
- In case of an incident or on-call access request, please submit the access request and then reach out to security via our incident response process outlined here
Which applications can I request access to via Entitle?
-
Currently we are using Entitle to request permissions to
- Google Cloud
- GitHub
- Okta
- Managed instance UI access
How to break glass if encounters problems with Entitle?
For members of Cloud, DevInfra and Security teams, the Slack command break-glass
is available to grant 1h of SG_Editor access in specific GCP folders. You can find more information here.
If my team uses a group of permissions regularly, how can these be requested more easily?
- Contact The Security team to create a Bundle for those permissions
I want access to a project in our “Engineering Projects” folder. How do i do that?
- Engineering projects are all development projects. So you will find these via the “Google Cloud Development Projects” integration in the Resource Access Request flow.
I want access to a Customer Instance, how do I request it?
-
Customer instances contain sensitive customer data. These are considered our production projects and can be found under the “Google Cloud Production Projects” integration in the Resource Access Request flow.
-
Due to the sensitive nature of the request, approval will rely heavily on the justification provided so please ensure that you have the right use case for requesting this access.
How do I renew a request that has expired?
- Entitle app Slack channel shows your requests and expirations. You can hit renew on an expired permission request to re-request it.
- Entitle Webapp has history of all your requests in the “My Requests” section. You can click to renew a past request from the right most column on this page.
What if i run into an error in Entitle?
- Please reach out to #security with the error and we can help resolve it
If I didnt get the requested permissions after approval, what should I do?
-
In the web interface of Entitle, you can see full log of where your request is in the process.
-
If there is an error and requests seems stuck, we still have terraform available as a failover for provisioning access. Please follow handbook steps regarding terraform changes