Skip to content
JITSudo Docs

Production Checklist

Verify these items before deploying JITSudo to production.

Security

Section titled “Security”
  • JWT_SECRET set to a strong, unique value (not the development default)
  • OIDC provider configured with proper redirect URI (OIDC_REDIRECT_URI)
  • API keys generated and stored securely (raw key is only shown once on creation)
  • Database connection uses TLS (?sslmode=require in DATABASE_URL)
  • JITSudo worker runs with a least-privilege IAM role scoped to Identity Center operations

Infrastructure

Section titled “Infrastructure”
  • PostgreSQL 15+ with automated backups and point-in-time recovery
  • API server behind a load balancer with TLS termination
  • Worker process running alongside the API server (shares DATABASE_URL)
  • Health check endpoint (GET /healthz) configured in load balancer
  • IC_INSTANCE_ARN set on the worker for grant provisioning

Authentication

Section titled “Authentication”
  • Production OIDC provider configured (not Dex)
  • OIDC_GROUPS_CLAIM and OIDC_TENANT_CLAIM match your IdP’s token structure
  • At least one tenant created with a valid aws_role_arn
  • At least one API key created for admin automation

Monitoring

Section titled “Monitoring”
  • Application logs forwarded to your logging platform (LOG_LEVEL=info minimum)
  • Database connection pool metrics monitored
  • AWS API rate limits monitored (Identity Center has low default limits)
  • Worker job queue depth monitored (River stores jobs in PostgreSQL)
  • Grant expiration and drift reconciliation health monitored

Access Control

Section titled “Access Control”
  • Cedar policies reviewed and tested for each tenant
  • Notification channels configured for request.pending and grant.active events at minimum
  • Break-glass emergency access policies in place with appropriate logging
  • Approval timeouts configured to prevent stale pending requests