DuploCloud makes access to AWS extraordinarily simple with just-in-time (JIT) access to both the AWS console and the AWS CLI, both with least-priviledged IAM permissions and short-lived access.
DuploCloud-JIT (Just-In-Time) offers temporary access to the AWS Console to quickly and easily interact with your AWS resources. With DuploCloud-JIT, you can perform necessary tasks without relying on long-lived credentials, simplifying access while maintaining strict security controls.
When to Use DuploCloud-JIT AWS Access
Use DuploCloud-JIT for tasks that require short-term access to AWS resources, such as:
One-Time JIT Tasks: Accessing AWS resources like S3 Buckets or DynamoDB for one-time tasks.
Automated Scripts with Short-Lived Access: Running scripts or CI/CD pipeline tasks that need limited-time access, such as deploying applications or running tests.
Ad-Hoc Troubleshooting: Troubleshooting issues or urgent maintenance that require immediate authentication.
Dynamic Access for Temporary Services: Securely authenticating and interacting with services that are needed for a limited time.
Interactive Sessions: Providing users access to AWS Console for specific tasks without the complexity of permanent credentials.
How to use DuploCloud-JIT AWS Access
You can obtain DuploCloud JIT access to AWS Console through the DuploCloud UI, or using command-line tools and duplo-jit or duplo-ctl.
Configuring JIT AWS Console Access from the UI
Access AWS Console using the Console link from your user profile page, or a specific resource page. To access the AWS Console from a specific resource page, see the AWS Console link.
To access the AWS Console from your user profile page, follow these steps:
In the DuploCloud Portal, navigate to Administrator -> Users.
Click the username in the upper right corner, and select Profile.
Click the JIT AWS Console button. A browser opens, giving you access to AWS Console.
From the JIT AWS Console list box, you can also select Copy AWS Console URL, Temporary AWS Credentials, or AWS access from my Workstation.
Configuring JIT AWS Console Access with CLI and duplo-jit or duplo-ctl
To gain JIT AWS Console access through a CLI, install duplo-jit and duplo-ctl, obtain credentials, and access the AWS Console.
DuploCloud-JIT CLI access is based on user permissions configured in the DuploCloud Portal. For instance, if you have Administrator permissions in DuploCloud, you can gain admin-level JIT access. If you are a User, your JIT access will be restricted to the resources and functionalities your DuploCloud permissions permit.
Step 1. Install duplo-jit
Install duplo-jit with Homebrew, or from GitHub releases:
To obtain credentials interactively, rather than with a token, replace --token <DUPLO_TOKEN> in the argument above with --interactive.
When you make the first AWS call, you are prompted to grant authorization through the DuploCloud portal, as shown below.
Upon successful authorization, A JIT token is provided. This token is valid for one (1) hour. When the token expires, you are prompted to re-authorize the request.
Step 3. Accessing the AWS Console
Accessing the AWS Console Using the CLI
Ensure that the AWS CLI is configured with the profile name that matches the one you used when obtaining credentials. This can be done in the ~/.aws/config file.
Use the following command, replacing <ENV_NAME> with your actual environment name:
AWS_PROFILE=<ENV_NAME> aws ec2 describe-instances
This command will list your EC2 instances in the specified environment.
Accessing the AWS Console with a URL link
Run one of the following commands to copy an AWS Console URL link to your clipboard. You can use the link in any browser.
All of these examples assume Administrator access. If you are obtaining JIT access for a User role, replace the --admin flag in the commands with --tenant <YOUR_TENANT>. For example, if your tenant's name is dev01, you would use --tenant dev01. Tenants are lower-case at the CLI.
In the DuploCloud Portal, navigate to Administrator -> Tenant.
Select the Tenant name from the NAME column.
Select the Settings tab, and click Add. The Add Tenant Feature pane displays.
Select AWS Access Token Validity from the Select Feature list box.
In the Value field, enter the length of time JIT access should remain active in seconds.
Click Update. The newsettingis displayed on the Tenantdetails page under the Settings tab.
Configuring Admin-JIT timeout for the AWS IAM role
By default, AWS IAM roles have a maximum session duration of one (1) hour. You can modify the maximum session duration for the AWS Master IAM role in the DuploCloud Portal.
From the DuploCloud Portal, navigate to Administrator -> Systems Settings.
Select the System Config tab, and click Add. The Update Config AppConfig pane displays.
From the Config Type list box, select AppConfig.
From the Key list box, select AdminJitSessionDuration.
In the Value field, enter the length of time JIT access should remain active in seconds.
Click Submit. The Admin-JIT session duration is configured.