JIT Access

DuploCloud users can obtain Just-In-Time (JIT) access to the AWS Console. This access is restricted to resources that the user has access to in the DuploCloud portal. With JIT access, DuploCloud administrators have admin-level access within the AWS Console and the access is generated in real-time and revoked, by default, in one hour.

Access using the UI

You can obtain AWS JIT access directly from the DuploCloud Portal, as well as obtain temporary AWS credentials to the Tenant, and access to AWS from your workstation.

1. In the DuploCloud Portal, navigate to Administrator -> User and select the Username that needs access.

2. In the upper-right corner of the Portal, click the user profile picture and select Profile. The User Profile page displays.
3. From the JIT AWS Console list box, select the appropriate option to open the JIT AWS Console, get Temporary AWS Credentials to the Tenant, or obtain AWS Access from my Workstation.

Accessing the JIT AWS Console from the UI

When you select JIT AWS Console, the AWS Console launches.

Selecting temporary or permanent access to AWS Credentials

When you select Temporary AWS Credentials, the Get JIT AWS Access window displays with available links for temporary or permanent access, as in the graphic below. For temporary access, click Get JIT Access. For permanent access, click the more permanent link.

Obtaining AWS access for a workstation

When you select AWS Access from my Workstation, the Get JIT AWS Access window displays with the Access to AWS from your Workstation option. Follow the instructions and links.

Access the AWS Console using the CLI and duplo-jit

Obtain access through the command line interface (CLI) with duplo-jit. duplo-jit must obtain an AWS JIT session using a DuploCloud API Token. This token can be specified either as part of your local AWS configuration or can be obtained interactively, using your DuploCloud portal session.

Install with Homebrew

Run the following command:

brew install duplocloud/tap/duplo-jit

Install from GitHub Releases

1. Download the latest .zip archive from https://github.com/duplocloud/duplo-jit/releases for your operating system.

2. Extract the archive listed in the table below based on the operating system and processor you are running.

3. Add the path to duplo-jit to your $PATH environment variable.

Obtaining credentials

Obtain credentials using a DuploCloud API Token or interactively.

Using an API Token

1. Obtain a DuploCloud API Token.

2. Edit the AWS Config file (~/.aws/config) and add the following profile, as shown in the code snippet below:

[profile <ENV_NAME>]
region=us-west-2
credential_process=duplo-jit aws --admin --host https://<ENV_NAME>.duplocloud.net --token <DUPLO_TOKEN>

Obtain credentials interactively

To obtain credentials interactively, rather than with a token, replace --token <DUPLO_TOKEN> in the argument above with --interactive.

When you make the first AWS call, you are prompted to grant authorization through the DuploCloud portal, as shown below. Click Authorize if you consent.

Upon successful authorization, A Just-In-Time token is provided, which is valid for one hour. When the token expires, you are prompted to re-authorize the request.

Accessing the AWS Console using the CLI

Obtain access to the AWS console using the Command Line Interface (CLI).

Accessing the AWS Console

As long as you use the AWS_PROFILE that matches the profile name you set in the section above, the AWS CLI obtains the required access credentials.

For example:

AWS_PROFILE=<ENV_NAME> aws ec2 describe-instances

Obtaining a link to the AWS Console URL

To obtain a link to the AWS Console, run one of the following commands, which copies the Console URL to your clipboard that you can use in any browser.

All of these examples assume Administrator role access, passing the --admin flag. If you are obtaining JIT access for a User role (not Administrator), ensure that you replace the --admin argument in the following code snippets with --tenant <YOUR_TENANT>, for example --tenant dev01. Tenants are lower-case at the CLI.

Using an API Token

duplo-jit aws --admin --host "https://<ENV_NAME>.duplocloud.net" --token <DUPLO_TOKEN> | jq -r .ConsoleUrl | pbcopy

Obtain a link interactively

duplo-jit aws --admin --host "https://<ENV_NAME>.duplocloud.net" --interactive | jq -r .ConsoleUrl | pbcopy

Obtain a link interactively in PowerShell

duplo-jit aws --admin --host "https://<ENV_NAME>.duplocloud.net" --interactive | ConvertFrom-Json | Select-Object -ExpandProperty ConsoleUrl | Set-Clipboard

Obtain a link by configuring your zsh shell

Add the following to your .zshrc file:

function jitnow() {
  duplo-jit aws --admin --no-cache --host "https://$1.duplocloud.net" --interactive | jq -r .ConsoleUrl | pbcopy
}

Configuring JIT session timeout

By default, JIT sessions expire after one hour. This can be modified in the DuploCloud Portal for a specific Tenant.

1. In the DuploCloud Portal, navigate to Administrator -> Tenant.

2. Select the Tenant for which you want to change the expiration period from the NAME column.

3. Click the Settings tab.

4. Click Add to add a custom timeout setting. The Add Tenant Feature pane displays.

5. Select AWS Access Token Validity from the Select Feature list box.

6. In the field below (the value), specify the desired timeout period in seconds. in the example below, we specify 7200 seconds or two (2) hours, overriding the default of 3600 seconds, or one (1) hour.

7. Click Update. The new setting is displayed in the Tenants, Settings tab.