DuploCloud makes access to AWS extraordinarily simple with just-in-time (JIT) access to both the AWS console and the AWS CLI, both with least-priviledged IAM permissions and short-lived access.
Access the AWS Console for specific resources created in DuploCloud, such as S3 Buckets and Dynamo databases, by clicking the Console link in the title bar of the resource page.
DuploCloud users can obtain Just-In-Time (JIT) access to AWS. For the USER role, IAM roles are used to restrict access to only the resources that the user has access to in the DuploCloud portal while the ADMIN role has administrator-level access to AWS. Access is generated in real-time and revoked, by default, in one hour.
Compare DuploCloud JIT Access with AWS IAM Identity Center (formerly AWS SSO) + AWS Organizations, a powerful combo but with a much more complex setup. DuploCloud includes JIT out of the box!
You can obtain AWS JIT access to the AWS console directly from the DuploCloud Portal. You can also obtain temporary AWS credentials to a specific Tenant, and access to AWS from your workstation.
In the DuploCloud Portal, navigate to Administrator -> User and select the Username that needs access.
In the upper-right corner of the Portal, click the user profile picture and select Profile. The User Profile page displays.
From the JIT AWS Console list box, select the appropriate option to open the JIT AWS Console, get Temporary AWS Credentials to the Tenant, or obtain AWS Access from my Workstation.
When you select JIT AWS Console, the AWS Console launches.
When you select Temporary AWS Credentials, the Get JIT AWS Access window displays with available links for temporary or permanent access, as in the graphic below. For temporary access, click Get JIT Access. .
For permanent access, click the more permanent link
You can also get AWS access tokens using the CLI tools (see the CLI section below).
When you select AWS Access from my Workstation, the Get JIT AWS Access window displays with the Access to AWS from your Workstation option. Follow the instructions and links.
duplo-jit or duploctl
There are two ways to obtain access through the command line interface (CLI): with duplo-jit
.or with duploctl
. duplo-jit
must obtain an AWS JIT session using a DuploCloud API Token. This token can be specified either as part of your local AWS configuration or can be obtained interactively, using your DuploCloud portal session.
Run the following command:
Download the latest .zip archive from https://github.com/duplocloud/duplo-jit/releases for your operating system.
Extract the archive listed in the table below based on the operating system and processor you are running.
Add the path to duplo-jit
to your $PATH
environment variable.
Obtain credentials using a DuploCloud API Token or interactively.
Edit the AWS Config file (~/.aws/config) and add the following profile, as shown in the code snippet below:
To obtain credentials interactively, rather than with a token, replace --token <DUPLO_TOKEN>
in the argument above with --interactive
.
When you make the first AWS call, you are prompted to grant authorization through the DuploCloud portal, as shown below. Click Authorize if you consent.
Upon successful authorization, A Just-In-Time token is provided, which is valid for one hour. When the token expires, you are prompted to re-authorize the request.
Obtain access to the AWS console using the Command Line Interface (CLI).
As long as you use the AWS_PROFILE
that matches the profile name you set in the section above, the AWS CLI obtains the required access credentials.
For example:
AWS_PROFILE=<ENV_NAME> aws ec2 describe-instances
To obtain a link to the AWS Console, run one of the following commands, which copies the Console URL to your clipboard that you can use in any browser.
All of these examples assume Administrator role access, passing the --admin
flag. If you are obtaining JIT access for a User role (not Administrator), ensure that you replace the --admin
argument in the following code snippets with --tenant <YOUR_TENANT>
, for example --tenant dev01
. Tenants are lower-case at the CLI.
If you are receiving errors when attempting to retrieve credentials, try running the command with the --no-cache
argument.
zsh
shellAdd the following to your .zshrc
file:
usage is jitnow <ENV_NAME>
By default, JIT sessions expire after one (1) hour. This can be modified for a specific Tenant in the DuploCloud Portal.
If you increase the JIT session timeout beyond the AWS default of one (1) hour, you must also update the maximum session duration value for the IAM role assigned to your DuploCloud Tenant using the instructions below.
In the DuploCloud Portal, navigate to Administrator -> Tenant.
Select the Tenant from the NAME column.
Click the Settings tab, and click Add. The Add Tenant Feature pane displays.
Select AWS Access Token Validity from the Select Feature list box.
In the Value field, enter the length of time JIT access should remain active in seconds.
Click Update. The new setting is displayed on the Tenant details page under the Settings tab.
By default, AWS IAM roles have a maximum session duration of one (1) hour. This can be adjusted by modifying the maximum session duration for the AWS Master IAM role in the DuploCloud Portal.
From the DuploCloud Portal, navigate to Administrator -> Systems Settings.
Select the System Config tab, and click Add. The Add Config pane displays.
From the Config Type list box, select AppConfig.
From the Key list box, select AdminJitSessionDuration.
In the Value field, enter the length of time JIT access should remain active in seconds.
Click Submit. The Admin-JIT session duration is configured.
Processor/Operating System | Archive |
---|---|
Intel macOS
darwin_amd64.zip
M1 macOS
darwin_arm64.zip
Windows
windows_amd64.zip