Skip to content
Common Fate
Docs Granted

Just-In-Time (JIT) access to roles

Granted can be used with Common Fate for just-in-time access to privileged AWS roles.

Prerequisites

For this recipe, you’ll need a Common Fate deployment. Email us or message us on Slack to arrange a Common Fate licence key for a proof-of-concept deployment.

You’ll also need Granted v0.23.0 or later installed.

You can use Granted to request just-in-time access to roles. Internally, we use AWS credential_process to source credentials through Granted.

You will need to update each role you want to request access to with the following configuration:

[profile my-profile]
sso_account_id = <your-sso-account-id>
sso_region     = <your-sso-region>
sso_role_name  = <your-role-name>
sso_start_url  = <https://example.awsapps.com/start>


[profile updated-profile]
granted_sso_account_id = <your-sso-account-id>
granted_sso_region     = <your-sso-region>
granted_sso_role_name  = <your-role-name>
granted_sso_start_url  = <https://example.awsapps.com/start>
credential_process     = granted credential-process --profile updated-profile
common_fate_url        = https://commonfate.example.com # the URL of your Common Fate deployment

Providing the common_fate_url is optional. If it is not provided, Granted will look up the Common Fate API URL from the Common Fate TOML config file.

Now, try assuming a profile that you don’t currently have access to. For example:

 > assume production-access-role

You should see an output similar to the below, depending on the authorization policies you’ve configured in Common Fate.

 > assume production-access-role


[i] You don't currently have access to production-access-role, checking if we can request access...  [target=AWS::Account::"123456789012", role=AWSAdministratorAccess, url=https://commonfate.example.com]
[WILL ACTIVATE] AWSAdministratorAccess access to Sandbox-2 will be activated for 2h: https://commonfate.example.com/access/requests/req_2eoefaC9KCuIiOAZ541JsOlU97t
[i] Access::Grant::"gra_2eoefkXzQap0kjm6O8fzrLwUbaz": Access is automatically approved because you are on-call in PagerDuty
? Apply proposed access changes (y/N)