Managing Grants
Grants represent active access assignments provisioned by JITSudo in AWS Identity Center.
Viewing Grants
Section titled “Viewing Grants”Navigate to My Grants in the web UI, or query the API:
curl https://jitsudo.example.com/v1/grants \ -H "Authorization: Bearer <jwt>" \ -H "X-Tenant-ID: <tenant-uuid>"Each grant shows:
- Target AWS account and permission set
- Duration and expiration time
- Current provisioning state
Grant States
Section titled “Grant States”| State | Description |
|---|---|
| active | Access is live — the AWS SSO assignment exists |
| expired | Grant duration elapsed, assignment being revoked |
| revoked | Assignment has been removed (manual or automatic) |
Grant Lifecycle
Section titled “Grant Lifecycle”The worker manages the full grant lifecycle:
- Provisioning —
ProvisionGrantWorkercreates the AWS Identity Center account assignment (retries up to 5 times) - Active — access is live, user can authenticate via the AWS SSO portal
- Expiration —
ExpireGrantsWorkerruns every 30 seconds, marking expired grants and enqueueing revocation - Revocation —
RevokeGrantWorkerdeletes the AWS assignment (retries up to 10 times, highest priority)
Early Revocation
Section titled “Early Revocation”Revoke an active grant before it expires:
curl -X DELETE https://jitsudo.example.com/v1/grants/<grant-id> \ -H "Authorization: Bearer <jwt>" \ -H "X-Tenant-ID: <tenant-uuid>"Drift Reconciliation
Section titled “Drift Reconciliation”The worker runs a periodic drift reconciliation loop (configurable via RECONCILIATION_INTERVAL, default 30s) that compares desired grant state against actual AWS Identity Center assignments and corrects any mismatches.