Most of the time we don't want access to last forever. We can configure Abbey to revoke access after a specified time. Navigate to policies/common/common.rego and you'll find a file like such:
msg := "granting access for 0 minutes"
We can set this policy to automatically revoke access to a resource after 10 minutes. Once the time has passed, Abbey will automatically revert the PR that granted resource access in the first place and the user will be removed from the group.
Step 4: Configure GCP Permissions
In this step we will
Create and use GCP resources (Project, Service Account, Workload Identity Pool & Provider)
Add Repository Secrets so Github Actions to make calls to GCP
After that, we need to configure Workload Identity Federation to allow Github Actions to make calls from your repo when managing the group membership. This allows Github to only gain secure temporary access tokens rather than exporting long-lived JSON secrets.
Abbey strives to help you automate and secure access management without being intrusive.
To that end, this Pull Request contains native Terraform HCL code using normal open source Terraform Provider libraries. It represents the permissions change. In this case, it's just a simple creation of a new Terraform Resource.
After approving the request, you should be able to see that the user has been added to the google group.