JIT Access

Use just-in-time (JIT) to access the console in Azure
DuploCloud users can obtain Just-In-Time (JIT) access to the Azure Console using duplo-jit. This access is restricted to resources that the user has access to in the DuploCloud portal. With JIT access, DuploCloud administrators have admin-level access within the Azure Console and the access is generated in real-time and revoked, by default, in one hour.

Access the Azure Console using the CLI and duplo-jit

Obtain access through the command line interface (CLI) with duplo-jit. duplo-jit must obtain an Azure JIT session using a DuploCloud API Token. This token can be specified either as part of your local Azure configuration or can be obtained interactively, using your DuploCloud portal session.

Install with Homebrew

Run the following command:
brew install duplocloud/tap/duplo-jit

Install from GitHub Releases

  1. 1.
    Download the latest .zip archive from for your operating system.
  2. 2.
    Extract the archive listed in the table below based on the operating system and processor you are running.
  3. 3.
    Add the path to duplo-jit to your $PATH environment variable.
Processor/Operating System
Intel macOS
M1 macOS

Obtaining credentials

Obtain credentials using a DuploCloud API Token or interactively.

Using an API Token

  1. 2.
    Edit the Azure Config file (~/.azure/config) and add the following profile, as shown in the code snippet below:
[profile <ENV_NAME>]
credential_process=duplo-jit az --admin --host https://<ENV_NAME> --token <DUPLO_TOKEN>

Obtain credentials interactively

To obtain credentials interactively, rather than with a token, replace --token <DUPLO_TOKEN> in the argument above with --interactive.
When you make the first AWS call, you are prompted to grant authorization through the DuploCloud portal, as shown below. Click Authorize if you consent.
A prompt reads "The duplo-aws-credential-process application on your computer wants to access your Duplo credentials." The options are a green button on the right for Authorize and a Red button on the left for Cancel.
Local Access Requested prompt
Upon successful authorization, A Just-In-Time token is provided, which is valid for one hour. When the token expires, you are prompted to re-authorize the request.

Accessing the Azure Console using the CLI

Obtain access to the Azure console using the Command Line Interface (CLI).

Accessing the Azure Console

As long as you use one AZURE_PROFILE that matches the profile name you set in the section above, the Azure CLI obtains the required access credentials.
For example:
To obtain a link to the Azure Console, run one of the following commands, which copies the Console URL to your clipboard that you can use in any browser.
All of these examples assume Administrator role access, passing the --admin flag. If you are obtaining JIT access for a User role (not Administrator), ensure that you replace the --admin argument in the following code snippets with --tenant <YOUR_TENANT>, for example --tenant dev01. Tenants are lower-case at the CLI.
If you are receiving errors when attempting to retrieve credentials, try running the command with the --no-cache argument.

Using an API Token

duplo-jit az --admin --host "https://<ENV_NAME>" --token <DUPLO_TOKEN> | jq -r .ConsoleUrl | pbcopy
duplo-jit az --admin --host "https://<ENV_NAME>" --interactive | jq -r .ConsoleUrl | pbcopy
duplo-jit az --admin --host "https://<ENV_NAME>" --interactive | ConvertFrom-Json | Select-Object -ExpandProperty ConsoleUrl | Set-Clipboard
Add the following to your .zshrc file:
function jitnow() {
duplo-jit az --admin --no-cache --host "https://$" --interactive | jq -r .ConsoleUrl | pbcopy
usage is jitnow <ENV_NAME>
Last modified 1mo ago