google-cloud-privileged_access_manager 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +79 -2
- data/lib/google/cloud/privileged_access_manager/version.rb +1 -1
- data/lib/google/cloud/privileged_access_manager.rb +36 -0
- metadata +4 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: '082cc8bd6142ee56e0b49bce290fb9adc073279c78c38abc8eeaa8dff9cdd43a'
|
|
4
|
+
data.tar.gz: 54d5be3547a885309a0a6dccfcd59c486b42790276db2fc2017520fcdec282e9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 066f3225008176df73149e5fb3e15adc607c3b1f5f21affc44b27ca2bc71e734c347b801f9a78359aaebcab9229fed93523248de968d68eb1bfbab4cb2c2761c
|
|
7
|
+
data.tar.gz: 5372c9bff80ad318497b5adb50ca49c02fe6672de683e97e9547ac729383560097be2aff8b7b0c68425a0024bd76ce3bdbd469a66d859594416f9cf96e7aa362
|
data/README.md
CHANGED
|
@@ -2,7 +2,54 @@
|
|
|
2
2
|
|
|
3
3
|
Privileged Access Manager (PAM) helps you on your journey towards least privilege and helps mitigate risks tied to privileged access misuse or abuse. PAM allows you to shift from always-on standing privileges towards on-demand access with just-in-time, time-bound, and approval-based access elevations. PAM allows IAM administrators to create entitlements that can grant just-in-time, temporary access to any resource scope. Requesters can explore eligible entitlements and request the access needed for their task. Approvers are notified when approvals await their decision. Streamlined workflows facilitated by using PAM can support various use cases, including emergency access for incident responders, time-boxed access for developers for critical deployment or maintenance, temporary access for operators for data ingestion and audits, JIT access to service accounts for automated tasks, and more.
|
|
4
4
|
|
|
5
|
-
## Overview
|
|
5
|
+
## Overview
|
|
6
|
+
|
|
7
|
+
Privileged Access Manager (PAM) is a Google Cloud native, managed solution
|
|
8
|
+
to secure, manage and audit privileged access while ensuring operational
|
|
9
|
+
velocity and developer productivity.
|
|
10
|
+
|
|
11
|
+
PAM enables just-in-time, time-bound, approval-based access elevations,
|
|
12
|
+
and auditing of privileged access elevations and activity. PAM lets you
|
|
13
|
+
define the rules of who can request access, what they can request access
|
|
14
|
+
to, and if they should be granted access with or without approvals based
|
|
15
|
+
on the sensitivity of the access and emergency of the situation.
|
|
16
|
+
|
|
17
|
+
## Concepts
|
|
18
|
+
|
|
19
|
+
### Entitlement
|
|
20
|
+
|
|
21
|
+
An entitlement is an eligibility or license that allows specified users
|
|
22
|
+
(requesters) to request and obtain access to specified resources subject
|
|
23
|
+
to a set of conditions such as duration, etc. entitlements can be granted
|
|
24
|
+
to both human and non-human principals.
|
|
25
|
+
|
|
26
|
+
### Grant
|
|
27
|
+
|
|
28
|
+
A grant is an instance of active usage against the entitlement. A user can
|
|
29
|
+
place a request for a grant against an entitlement. The request may be
|
|
30
|
+
forwarded to an approver for their decision. Once approved, the grant is
|
|
31
|
+
activated, ultimately giving the user access (roles/permissions) on a
|
|
32
|
+
resource per the criteria specified in entitlement.
|
|
33
|
+
|
|
34
|
+
### How does PAM work
|
|
35
|
+
|
|
36
|
+
PAM creates and uses a service agent (Google-managed service account) to
|
|
37
|
+
perform the required IAM policy changes for granting access at a
|
|
38
|
+
specific
|
|
39
|
+
resource/access scope. The service agent requires getIAMPolicy and
|
|
40
|
+
setIAMPolicy permissions at the appropriate (or higher) access scope
|
|
41
|
+
-
|
|
42
|
+
Organization/Folder/Project to make policy changes on the resources listed
|
|
43
|
+
in PAM entitlements.
|
|
44
|
+
|
|
45
|
+
When enabling PAM for a resource scope, the user/ principal performing
|
|
46
|
+
that action should have the appropriate permissions at that resource
|
|
47
|
+
scope
|
|
48
|
+
(resourcemanager.\\{projects|folders|organizations}.setIamPolicy,
|
|
49
|
+
resourcemanager.\\{projects|folders|organizations}.getIamPolicy, and
|
|
50
|
+
resourcemanager.\\{projects|folders|organizations}.get) to list and grant
|
|
51
|
+
the service agent/account the required access to perform IAM policy
|
|
52
|
+
changes.
|
|
6
53
|
|
|
7
54
|
Actual client classes for the various versions of this API are defined in
|
|
8
55
|
_versioned_ client gems, with names of the form `google-cloud-privileged_access_manager-v*`.
|
|
@@ -34,9 +81,39 @@ In order to use this library, you first need to go through the following steps:
|
|
|
34
81
|
1. [Enable the API.](https://console.cloud.google.com/apis/library/privilegedaccessmanager.googleapis.com)
|
|
35
82
|
1. {file:AUTHENTICATION.md Set up authentication.}
|
|
36
83
|
|
|
84
|
+
## Debug Logging
|
|
85
|
+
|
|
86
|
+
This library comes with opt-in Debug Logging that can help you troubleshoot
|
|
87
|
+
your application's integration with the API. When logging is activated, key
|
|
88
|
+
events such as requests and responses, along with data payloads and metadata
|
|
89
|
+
such as headers and client configuration, are logged to the standard error
|
|
90
|
+
stream.
|
|
91
|
+
|
|
92
|
+
**WARNING:** Client Library Debug Logging includes your data payloads in
|
|
93
|
+
plaintext, which could include sensitive data such as PII for yourself or your
|
|
94
|
+
customers, private keys, or other security data that could be compromising if
|
|
95
|
+
leaked. Always practice good data hygiene with your application logs, and follow
|
|
96
|
+
the principle of least access. Google also recommends that Client Library Debug
|
|
97
|
+
Logging be enabled only temporarily during active debugging, and not used
|
|
98
|
+
permanently in production.
|
|
99
|
+
|
|
100
|
+
To enable logging, set the environment variable `GOOGLE_SDK_RUBY_LOGGING_GEMS`
|
|
101
|
+
to the value `all`. Alternatively, you can set the value to a comma-delimited
|
|
102
|
+
list of client library gem names. This will select the default logging behavior,
|
|
103
|
+
which writes logs to the standard error stream. On a local workstation, this may
|
|
104
|
+
result in logs appearing on the console. When running on a Google Cloud hosting
|
|
105
|
+
service such as [Google Cloud Run](https://cloud.google.com/run), this generally
|
|
106
|
+
results in logs appearing alongside your application logs in the
|
|
107
|
+
[Google Cloud Logging](https://cloud.google.com/logging/) service.
|
|
108
|
+
|
|
109
|
+
Debug logging also requires that the versioned clients for this service be
|
|
110
|
+
sufficiently recent, released after about Dec 10, 2024. If logging is not
|
|
111
|
+
working, try updating the versioned clients in your bundle or installed gems:
|
|
112
|
+
[google-cloud-privileged_access_manager-v1](https://cloud.google.com/ruby/docs/reference/google-cloud-privileged_access_manager-v1/latest).
|
|
113
|
+
|
|
37
114
|
## Supported Ruby Versions
|
|
38
115
|
|
|
39
|
-
This library is supported on Ruby
|
|
116
|
+
This library is supported on Ruby 3.0+.
|
|
40
117
|
|
|
41
118
|
Google provides official support for Ruby versions that are actively supported
|
|
42
119
|
by Ruby Core—that is, Ruby versions that are either in normal maintenance or
|
|
@@ -58,6 +58,11 @@ module Google
|
|
|
58
58
|
# You can also specify a different transport by passing `:rest` or `:grpc` in
|
|
59
59
|
# the `transport` parameter.
|
|
60
60
|
#
|
|
61
|
+
# Raises an exception if the currently installed versioned client gem for the
|
|
62
|
+
# given API version does not support the given transport of the PrivilegedAccessManager service.
|
|
63
|
+
# You can determine whether the method will succeed by calling
|
|
64
|
+
# {Google::Cloud::PrivilegedAccessManager.privileged_access_manager_available?}.
|
|
65
|
+
#
|
|
61
66
|
# ## About PrivilegedAccessManager
|
|
62
67
|
#
|
|
63
68
|
# This API allows customers to manage temporary, request based privileged
|
|
@@ -98,6 +103,37 @@ module Google
|
|
|
98
103
|
service_module.const_get(:Client).new(&block)
|
|
99
104
|
end
|
|
100
105
|
|
|
106
|
+
##
|
|
107
|
+
# Determines whether the PrivilegedAccessManager service is supported by the current client.
|
|
108
|
+
# If true, you can retrieve a client object by calling {Google::Cloud::PrivilegedAccessManager.privileged_access_manager}.
|
|
109
|
+
# If false, that method will raise an exception. This could happen if the given
|
|
110
|
+
# API version does not exist or does not support the PrivilegedAccessManager service,
|
|
111
|
+
# or if the versioned client gem needs an update to support the PrivilegedAccessManager service.
|
|
112
|
+
#
|
|
113
|
+
# @param version [::String, ::Symbol] The API version to connect to. Optional.
|
|
114
|
+
# Defaults to `:v1`.
|
|
115
|
+
# @param transport [:grpc, :rest] The transport to use. Defaults to `:grpc`.
|
|
116
|
+
# @return [boolean] Whether the service is available.
|
|
117
|
+
#
|
|
118
|
+
def self.privileged_access_manager_available? version: :v1, transport: :grpc
|
|
119
|
+
require "google/cloud/privileged_access_manager/#{version.to_s.downcase}"
|
|
120
|
+
package_name = Google::Cloud::PrivilegedAccessManager
|
|
121
|
+
.constants
|
|
122
|
+
.select { |sym| sym.to_s.downcase == version.to_s.downcase.tr("_", "") }
|
|
123
|
+
.first
|
|
124
|
+
return false unless package_name
|
|
125
|
+
service_module = Google::Cloud::PrivilegedAccessManager.const_get package_name
|
|
126
|
+
return false unless service_module.const_defined? :PrivilegedAccessManager
|
|
127
|
+
service_module = service_module.const_get :PrivilegedAccessManager
|
|
128
|
+
if transport == :rest
|
|
129
|
+
return false unless service_module.const_defined? :Rest
|
|
130
|
+
service_module = service_module.const_get :Rest
|
|
131
|
+
end
|
|
132
|
+
service_module.const_defined? :Client
|
|
133
|
+
rescue ::LoadError
|
|
134
|
+
false
|
|
135
|
+
end
|
|
136
|
+
|
|
101
137
|
##
|
|
102
138
|
# Configure the google-cloud-privileged_access_manager library.
|
|
103
139
|
#
|
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: google-cloud-privileged_access_manager
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Google LLC
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 2025-01-29 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: google-cloud-core
|
|
@@ -84,7 +83,6 @@ homepage: https://github.com/googleapis/google-cloud-ruby
|
|
|
84
83
|
licenses:
|
|
85
84
|
- Apache-2.0
|
|
86
85
|
metadata: {}
|
|
87
|
-
post_install_message:
|
|
88
86
|
rdoc_options: []
|
|
89
87
|
require_paths:
|
|
90
88
|
- lib
|
|
@@ -92,15 +90,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
92
90
|
requirements:
|
|
93
91
|
- - ">="
|
|
94
92
|
- !ruby/object:Gem::Version
|
|
95
|
-
version: '
|
|
93
|
+
version: '3.0'
|
|
96
94
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
97
95
|
requirements:
|
|
98
96
|
- - ">="
|
|
99
97
|
- !ruby/object:Gem::Version
|
|
100
98
|
version: '0'
|
|
101
99
|
requirements: []
|
|
102
|
-
rubygems_version: 3.
|
|
103
|
-
signing_key:
|
|
100
|
+
rubygems_version: 3.6.2
|
|
104
101
|
specification_version: 4
|
|
105
102
|
summary: Privileged Access Manager (PAM) helps you on your journey towards least privilege
|
|
106
103
|
and helps mitigate risks tied to privileged access misuse or abuse. PAM allows you
|