.svg?alt=media&token=0f6df7c7-5b98-4a62-98b8-a54e38a8329e){kind=logo}
JIT Access
Use just-in-time (JIT) to access the console in AWS
DuploCloud users can obtain Just-In-Time (JIT) access to the AWS Console. This access is restricted to resources that the user has access to in the DuploCloud portal. With JIT access, DuploCloud administrators have admin-level access within the AWS Console and the access is generated in real-time and revoked, by default, in one hour.
You can obtain AWS JIT access directly from the DuploCloud Portal, as well as obtain temporary AWS credentials to the Tenant, and access to AWS from your workstation.
- 1.In the DuploCloud Portal, navigate to User and select the Username that needs access.
- 2.In the upper-right corner of the Portal, click the user profile picture and select Profile. The User Profile page displays.
User profile area of the DuploCloud Portal with the Profile option - 3.From the JIT AWS Console list box, select the appropriate option to open the JIT AWS Console, get Temporary AWS Credentials to the Tenant, or obtain AWS Access from my Workstation.
DuploCloud User Profile page with JIT AWS Console list box and available options
When you select JIT AWS Console, the AWS Console launches.
When you select Temporary AWS Credentials, the Get JIT AWS Access window displays with available links for temporary or permanent access, as in the graphic below. For temporary access, click Get JIT Access. For permanent access, click the more permanent link.
Get JIT AWS Access window with tempoary and permanent options
When you select AWS Access from my Workstation, the Get JIT AWS Access window displays with the Access to AWS from your Workstation option. Follow the instructions and links.
Obtain access through the command line interface (CLI) with
duplo-jit. duplo-jit must obtain an AWS JIT session using a DuploCloud API Token. This token can be specified either as part of your local AWS configuration or can be obtained interactively, using your DuploCloud portal session.Run the following command:
brew install duplocloud/tap/duplo-jit
- 1.Download the latest .zip archive from https://github.com/duplocloud/duplo-jit/releases for your operating system.
- 2.Extract the archive listed in the table below based on the operating system and processor you are running.
- 3.Add the path to
duplo-jitto your$PATHenvironment variable.
Processor/Operating System | Archive |
|---|---|
Intel macOS | darwin_amd64.zip |
M1 macOS | darwin_arm64.zip |
Windows | windows_amd64.zip |
- 2.Edit the AWS Config file (~/.aws/config) and add the following profile, as shown in the code snippet below:
[profile <ENV_NAME>]
region=us-west-2
credential_process=duplo-jit aws --admin --host https://<ENV_NAME>.duplocloud.net --token <DUPLO_TOKEN>
To obtain credentials interactively, rather than with a token, replace
--token <DUPLO_TOKEN> in the argument above with --interactive.When you make the first AWS call, you are prompted to grant authorization through the DuploCloud portal, as shown below. Click Authorize if you consent.
Local Access Requested prompt
Upon successful authorization, A Just-In-Time token is provided, which is valid for one hour. When the token expires, you are prompted to re-authorize the request.
Obtain access to the AWS console using the Command Line Interface (CLI).
As long as you use the AWS_PROFILE that matches the profile name you set in the section above, the AWS CLI obtains the required access credentials.
For example:
AWS_PROFILE=<ENV_NAME> aws ec2 describe-instancesTo obtain a link to the AWS Console, run one of the following commands, which copies the Console URL to your clipboard that you can use in any browser.
All of these examples assume Administrator role access, passing the
--admin flag. If you are obtaining JIT access for a User role (not Administrator), ensure that you replace the --admin argument in the following code snippets with --tenant <YOUR_TENANT>, for example --tenant dev01. Tenants are lower-case at the CLI.If you are receiving errors when attempting to retrieve credentials, try running the command with the
--no-cache argument.duplo-jit aws --admin --host "https://<ENV_NAME>.duplocloud.net" --token <DUPLO_TOKEN> | jq -r .ConsoleUrl | pbcopy
duplo-jit aws --admin --host "https://<ENV_NAME>.duplocloud.net" --interactive | jq -r .ConsoleUrl | pbcopy
Add the following to your
.zshrc file:function jitnow() {
duplo-jit aws --admin --no-cache --host "https://$1.duplocloud.net" --interactive | jq -r .ConsoleUrl | pbcopy
}
usage is
jitnow <ENV_NAME>By default, JIT sessions expire after one hour. This can be modified in the DuploCloud Portal for a specific Tenant.
- 1.displaysIn the DuploCloud Portal, navigate to Administrator -> Tenant.
- 2.Select the Tenant from the Name column for which you want to change the expiration period.
- 3.Click the Settings tab.
- 4.Click Add to add a custom timeout setting. The Add Tenant Feature pane displays.
- 5.Select AWS Access Token Validity from the Select Feature list box.
- 6.In the field below (the value), specify the desired timeout period in seconds. in the example below, we specify 7200 seconds or two hours, overriding the default of 3600 seconds, or one hour.
- 7.Click Update. The new Value is displayed in the Tenant Settings tab.
Update Tenant Feature pane to specify new default timeout in seconds
AWS Access Token Validity settings updated with a value of 7200 (seconds)
If you are increasing the session timeout beyond the AWS default of 1 hour, you also need to update the maximum session duration value for the IAM role assigned to your DuploCloud tenant.
Access the AWS Console as an Administrator using the instructions above. In the AWS Console, navigate IAM -> Roles and modify the value for your tenant accordingly. For example, if your Tenant is named DEV01, and you need to set a timeout of two hours (7200 seconds), locate the IAM role duploservices-dev01 and modify the Maximum Session Duration to two hours.
Last modified 13d ago