AWS Integration

JITSudo integrates with AWS IAM Identity Center (successor to AWS SSO) to provision and revoke temporary access assignments.

Prerequisites

AWS Organizations with IAM Identity Center enabled
An IAM role for JITSudo with permissions to manage Identity Center assignments

Configuration

AWS_REGION=us-east-1
IC_INSTANCE_ARN=arn:aws:sso:::instance/ssoins-xxxxxxxxx

The IC_INSTANCE_ARN variable specifies the Identity Center instance. It is required for the worker to provision grants. The server can operate without it for API-only functionality.

Required IAM Permissions

JITSudo needs an IAM role with:

sso-admin:CreateAccountAssignment
sso-admin:DeleteAccountAssignment
sso-admin:DescribeAccountAssignmentCreationStatus
sso-admin:DescribeAccountAssignmentDeletionStatus
sso-admin:ListPermissionSets
sso-admin:ListAccountsForProvisionedPermissionSet
organizations:ListAccounts
sts:AssumeRole

JITSudo uses the standard AWS SDK credential chain. In production, use an IAM role attached to your compute (ECS task role, EC2 instance profile, etc.).

Per-Tenant AWS Role

Each tenant can specify an aws_role_arn that JITSudo assumes when provisioning assignments for that tenant. This enables multi-account isolation where different tenants manage different AWS organizations.

Provisioning Flow

Request approved → ProvisionGrantWorker enqueued
Worker assumes the tenant’s AWS role (if configured)
CreateAccountAssignment called on Identity Center
Worker polls provisioning status (async operation)
Grant marked as active on success
On expiration → RevokeGrantWorker calls DeleteAccountAssignment

The provisioner handles AWS throttling with automatic retries and exponential backoff.

Drift Reconciliation

The DriftReconcileWorker runs periodically (configurable via RECONCILIATION_INTERVAL, default 30s) to:

Compare active grants against actual Identity Center assignments
Provision missing assignments
Flag unexpected assignments
Uses advisory locking to prevent concurrent execution across worker replicas