Introduction

JITSudo is an open-source, self-hosted just-in-time (JIT) access management platform for AWS Identity Center. It enables teams to request temporary elevated access with automatic expiration — zero standing privileges, zero friction.

Key Features

Just-in-time access — request temporary AWS permissions that automatically expire
Cedar policy engine — fine-grained, priority-based authorization rules with auto-approve, manual review, and break-glass modes
Multi-tenant — full tenant isolation with separate policies, users, API keys, and AWS configurations
Audit trail — every action logged with actor, resource, and timestamp for compliance
Notification channels — Slack, email, webhooks, and AWS SNS alerts for request lifecycle events
Self-hosted — runs in your infrastructure with PostgreSQL and your own AWS Identity Center instance

How It Works

A user submits an access request through the web UI, specifying an AWS account, permission set, and duration
JITSudo evaluates the request against Cedar policies scoped to the tenant
Depending on the policy match, the request is auto-approved, sent for manual review, or denied
Approved requests create grants — the worker provisions an AWS Identity Center account assignment
When the grant expires, the worker automatically revokes the assignment
A drift reconciliation loop detects and corrects mismatches between desired and actual AWS state

Architecture

JITSudo runs three processes:

API Server — HTTP API (chi router) serving the OpenAPI 3.0.3 spec on port 8080
Worker — background job processor (River, PostgreSQL-backed) handling grant provisioning, revocation, expiration, drift reconciliation, and notifications
Frontend — React + TypeScript SPA with TanStack Query for data fetching

All data is stored in PostgreSQL with tenant isolation enforced at the database level via tenant_id foreign keys.

Next Steps

Quick Start — get JITSudo running locally with Docker Compose
Installation — production deployment guide
Configuration — environment variables and setup