I am used to working with Azure, but have recently joined a project running from a set of docker instances in Google Cloud.
I would like to secure the setup in Google Cloud the way I have been used to do it in Azure.
In Azure it is possible to restrict access to the production environment using Azure AD. This can be achieved using Google Cloud Organization Service. So far so good.
Now I want to lock down production even further. I don't want anyone to just have access to production all the time. I would like to only allow this when needed and only for a limited time. This can be achieved in Azure by using Privileged Identity Management (PIM). That way I can allow certain people to self-elevate their privileges for a short period of time... say 4 hours. They also have to justify the self-elevation in text... and I can force two-factor authentication again, even though they are already logged in.
What is the PIM equivalent in Google Cloud? I haven't been able to find it. Can anyone point me to the documentation for a Google Cloud Service that does this?
I am not too familiar with Azure echo-system but from the description I think you are looking for Cloud IAP: https://cloud.google.com/iap/docs/concepts-overview. I am not sure if it offers temporary elevated feature though.
Alternatively, I think if you use Google Cloud Directory Sync you can manage users through Azure Active Directory and use it to authenticate against Google Cloud.
Also, here's a post which explains how you can provide a temporary access to someone by allowing them to impersonate a service account: https://medium.com/wescale/how-to-generate-and-use-temporary-credentials-on-google-cloud-platform-b425ef95a00d