Overview
Search
⌃K
Links

JIT Access

Use just-in-time (JIT) to access the console in AWS
DuploCloud users can obtain Just-In-Time (JIT) access to the AWS Console. This access is restricted to resources that the user has access to in the DuploCloud portal. With JIT access, DuploCloud administrators have admin-level access within the AWS Console and the access is generated in real-time and revoked, by default, in one hour.

Access using the UI

You can obtain AWS JIT access directly from the DuploCloud Portal, as well as obtain temporary AWS credentials to the Tenant, and access to AWS from your workstation.
  1. 1.
    In the DuploCloud Portal, navigate to User and select the Username that needs access.
  2. 2.
    In the upper-right corner of the Portal, click the user profile picture and select Profile. The User Profile page displays.
    User profile area of the DuploCloud Portal with the Profile option
  3. 3.
    From the JIT AWS Console list box, select the appropriate option to open the JIT AWS Console, get Temporary AWS Credentials to the Tenant, or obtain AWS Access from my Workstation.
    DuploCloud User Profile page with JIT AWS Console list box and available options

Accessing the JIT AWS Console from the UI

When you select JIT AWS Console, the AWS Console launches.

Selecting temporary or permanent access to AWS Credentials

When you select Temporary AWS Credentials, the Get JIT AWS Access window displays with available links for temporary or permanent access, as in the graphic below. For temporary access, click Get JIT Access. For permanent access, click the more permanent link.
Get JIT AWS Access window with tempoary and permanent options

Obtaining AWS access for a workstation

When you select AWS Access from my Workstation, the Get JIT AWS Access window displays with the Access to AWS from your Workstation option. Follow the instructions and links.

Access the AWS Console using the CLI and duplo-jit

Obtain access through the command line interface (CLI) with duplo-jit. duplo-jit must obtain an AWS JIT session using a DuploCloud API Token. This token can be specified either as part of your local AWS configuration or can be obtained interactively, using your DuploCloud portal session.

Install with Homebrew

Run the following command:
brew install duplocloud/tap/duplo-jit

Install from GitHub Releases

  1. 1.
    Download the latest .zip archive from https://github.com/duplocloud/duplo-jit/releases for your operating system.
  2. 2.
    Extract the archive listed in the table below based on the operating system and processor you are running.
  3. 3.
    Add the path to duplo-jit to your $PATH environment variable.
Processor/Operating System
Archive
Intel macOS
darwin_amd64.zip
M1 macOS
darwin_arm64.zip
Windows
windows_amd64.zip

Obtaining credentials

Using an API Token

  1. 2.
    Edit the AWS Config file (~/.aws/config) and add the following profile, as shown in the code snippet below:
[profile <ENV_NAME>]
region=us-west-2
credential_process=duplo-jit aws --admin --host https://<ENV_NAME>.duplocloud.net --token <DUPLO_TOKEN>

Obtain credentials interactively

To obtain credentials interactively, rather than with a token, replace --token <DUPLO_TOKEN> in the argument above with --interactive.
When you make the first AWS call, you are prompted to grant authorization through the DuploCloud portal, as shown below. Click Authorize if you consent.
A prompt reads "The duplo-aws-credential-process application on your computer wants to access your Duplo credentials." The options are a green button on the right for Authorize and a Red button on the left for Cancel.
Local Access Requested prompt
Upon successful authorization, A Just-In-Time token is provided, which is valid for one hour. When the token expires, you are prompted to re-authorize the request.

Accessing the AWS Console Using the CLI

Obtain access to the AWS console using the Command Line Interface (CLI).

Accessing the AWS Console

As long as you use the AWS_PROFILE that matches the profile name you set in the section above, the AWS CLI obtains the required access credentials.
For example:
AWS_PROFILE=<ENV_NAME> aws ec2 describe-instances
To obtain a link to the AWS Console, run one of the following commands, which copies the Console URL to your clipboard that you can use in any browser.
All of these examples assume Administrator role access, passing the --admin flag. If you are obtaining JIT access for a User role (not Administrator), ensure that you replace the --admin argument in the following code snippets with --tenant <YOUR_TENANT>, for example --tenant dev01. Tenants are lower-case at the CLI.
If you are receiving errors when attempting to retrieve credentials, try running the command with the --no-cache argument.

Using an API Token

duplo-jit aws --admin --host "https://<ENV_NAME>.duplocloud.net" --token <DUPLO_TOKEN> | jq -r .ConsoleUrl | pbcopy
duplo-jit aws --admin --host "https://<ENV_NAME>.duplocloud.net" --interactive | jq -r .ConsoleUrl | pbcopy
Add the following to your .zshrc file:
function jitnow() {
duplo-jit aws --admin --no-cache --host "https://$1.duplocloud.net" --interactive | jq -r .ConsoleUrl | pbcopy
}
usage is jitnow <ENV_NAME>

Configuring JIT session timeout

By default, JIT sessions expire after one hour. This can be modified in the DuploCloud Portal for a specific Tenant.
  1. 1.
    displaysIn the DuploCloud Portal, navigate to Administrator -> Tenant.
  2. 2.
    Select the Tenant from the Name column for which you want to change the expiration period.
  3. 3.
    Click the Settings tab.
  4. 4.
    Click Add to add a custom timeout setting. The Add Tenant Feature pane displays.
  5. 5.
    Select AWS Access Token Validity from the Select Feature list box.
  6. 6.
    In the field below (the value), specify the desired timeout period in seconds. in the example below, we specify 7200 seconds or two hours, overriding the default of 3600 seconds, or one hour.
  7. 7.
    Click Update. The new Value is displayed in the Tenant Settings tab.
Update Tenant Feature pane to specify new default timeout in seconds
AWS Access Token Validity settings updated with a value of 7200 (seconds)
If you are increasing the session timeout beyond the AWS default of 1 hour, you also need to update the maximum session duration value for the IAM role assigned to your DuploCloud tenant.
Access the AWS Console as an Administrator using the instructions above. In the AWS Console, navigate IAM -> Roles and modify the value for your tenant accordingly. For example, if your Tenant is named DEV01, and you need to set a timeout of two hours (7200 seconds), locate the IAM role duploservices-dev01 and modify the Maximum Session Duration to two hours.