Just-in-Time (JIT) Access
DuploCloud makes access to AWS extraordinarily simple with just-in-time (JIT) access to both the AWS console and the AWS CLI, both with least-priviledged IAM permissions and short-lived access.
Last updated
DuploCloud makes access to AWS extraordinarily simple with just-in-time (JIT) access to both the AWS console and the AWS CLI, both with least-priviledged IAM permissions and short-lived access.
Last updated
© DuploCloud, Inc. All rights reserved. DuploCloud trademarks used herein are registered trademarks of DuploCloud and affiliates
DuploCloud-JIT (Just-In-Time) offers temporary access to the AWS Console to quickly and easily interact with your AWS resources. With DuploCloud-JIT, you can perform necessary tasks without relying on long-lived credentials, simplifying access while maintaining strict security controls.
Use DuploCloud-JIT for tasks that require short-term access to AWS resources, such as:
One-Time JIT Tasks: Accessing AWS resources like S3 Buckets or DynamoDB for one-time tasks.
Automated Scripts with Short-Lived Access: Running scripts or CI/CD pipeline tasks that need limited-time access, such as deploying applications or running tests.
Ad-Hoc Troubleshooting: Troubleshooting issues or urgent maintenance that require immediate authentication.
Dynamic Access for Temporary Services: Securely authenticating and interacting with services that are needed for a limited time.
Interactive Sessions: Providing users access to AWS Console for specific tasks without the complexity of permanent credentials.
You can obtain DuploCloud JIT access to AWS Console through the DuploCloud UI, or using command-line tools and duplo-jit
or duplo-ctl
.
Access AWS Console using the Console link from your user profile page, or a specific resource page. To access the AWS Console from a specific resource page, see the AWS Console link.
To access the AWS Console from your user profile page, follow these steps:
In the DuploCloud Portal, navigate to Administrator -> Users.
Click the username in the upper right corner, and select Profile.
Click the JIT AWS Console button. A browser opens, giving you access to AWS Console.
From the JIT AWS Console list box, you can also select Copy AWS Console URL, Temporary AWS Credentials, or AWS access from my Workstation.
duplo-jit
or duplo-ctl
To gain JIT AWS Console access through a CLI, install duplo-jit
and duplo-ctl
, obtain credentials, and access the AWS Console.
DuploCloud-JIT CLI access is based on user permissions configured in the DuploCloud Portal. For instance, if you have Administrator permissions in DuploCloud, you can gain admin-level JIT access. If you are a User, your JIT access will be restricted to the resources and functionalities your DuploCloud permissions permit.
duplo-jit
Install duplo-jit
with Homebrew, or from GitHub releases:
duplo-jit
with HomebrewRun the following command:
duplo-jit
from GitHub ReleasesDownload the latest .zip archive from https://github.com/duplocloud/duplo-jit/releases for your operating system.
Extract the archive listed in the table below based on the operating system and processor you are running.
Add the path to duplo-jit
to your $PATH
environment variable.
Intel macOS
darwin_amd64.zip
M1 macOS
darwin_arm64.zip
Windows
windows_amd64.zip
Obtain credentials using an API token, or interactively:
Obtain an API token. While you can create a temporary or permanent API token, a permanent token is recommended.
Edit the ~/.aws/config
file, and add the following profile, as shown in the code snippet below:
To obtain credentials interactively, rather than with a token, replace --token <DUPLO_TOKEN>
in the argument above with --interactive
.
When you make the first AWS call, you are prompted to grant authorization through the DuploCloud portal, as shown below.
Upon successful authorization, A JIT token is provided. This token is valid for one (1) hour. When the token expires, you are prompted to re-authorize the request.
Ensure that the AWS CLI is configured with the profile name that matches the one you used when obtaining credentials. This can be done in the ~/.aws/config
file.
Use the following command, replacing <ENV_NAME>
with your actual environment name:
This command will list your EC2 instances in the specified environment.
Run one of the following commands to copy an AWS Console URL link to your clipboard. You can use the link in any browser.
All of these examples assume Administrator access. If you are obtaining JIT access for a User role, replace the --admin
flag in the commands with --tenant <YOUR_TENANT>
. For example, if your tenant's name is dev01
, you would use --tenant dev01
. Tenants are lower-case at the CLI.
zsh
shellAdd the following to your .zshrc
file:
usage is jitnow <ENV_NAME>
If you are receiving errors when attempting to retrieve credentials, try running the command with the --no-cache
argument.
By default, JIT sessions expire after one (1) hour. You can modify the session timeout setting for a specific Tenant in the DuploCloud Portal.
If you increase the JIT session timeout beyond the AWS default of one (1) hour, you must also increase the maximum session value for the IAM role assigned to your DuploCloud Tenant.
In the DuploCloud Portal, navigate to Administrator -> Tenant.
Select the Tenant name from the NAME column.
Select the Settings tab, and click Add. The Add Tenant Feature pane displays.
Select AWS Access Token Validity from the Select Feature list box.
In the Value field, enter the length of time JIT access should remain active in seconds.
Click Update. The new setting is displayed on the Tenant details page under the Settings tab.
By default, AWS IAM roles have a maximum session duration of one (1) hour. You can modify the maximum session duration for the AWS Master IAM role in the DuploCloud Portal.
From the DuploCloud Portal, navigate to Administrator -> Systems Settings.
Select the System Config tab, and click Add. The Update Config AppConfig pane displays.
From the Config Type list box, select AppConfig.
From the Key list box, select AdminJitSessionDuration.
In the Value field, enter the length of time JIT access should remain active in seconds.
Click Submit. The Admin-JIT session duration is configured.