Multi-Tenancy
JITSudo enforces multi-tenancy at the database level. Every core table has a tenant_id foreign key, and all API requests (except /healthz) require a X-Tenant-ID header.
Tenant Isolation
Section titled “Tenant Isolation”Each tenant operates independently with:
- Separate Cedar policy rule sets
- Isolated access requests and grants
- Independent AWS resource cache and configurations
- Dedicated API keys
- Per-tenant OIDC configuration
- Separate notification channel setup
- Email domain-to-tenant mapping
Managing Tenants
Section titled “Managing Tenants”Tenants are managed via the API using API key authentication:
# Create a tenantcurl -X POST https://jitsudo.example.com/v1/tenants \ -H "X-API-Key: <api-key>" \ -H "Content-Type: application/json" \ -d '{"name": "engineering", "aws_role_arn": "arn:aws:iam::123456789012:role/JITSudoRole"}'
# List tenantscurl https://jitsudo.example.com/v1/tenants \ -H "X-API-Key: <api-key>"Tenant Headers
Section titled “Tenant Headers”The X-Tenant-ID header is required on every API call. The web UI resolves this automatically from the authenticated user’s JWT tenant_id claim. The claim name is configurable via OIDC_TENANT_CLAIM (default: tenant_id).
Domain Mapping
Section titled “Domain Mapping”Email domains can be mapped to tenants via the tenant_domains table, enabling automatic tenant resolution during OIDC login based on the user’s email domain.