Jit
Bases: DuploResource
Just In Time (JIT) Resource
Just in time access for AWS. This will use Duplo credentials to ask a certain Duplo portal for temporary AWS credentials. These credentials will be valid for a certain amount of time and will be used to access AWS resources.
Usage
using the duploctl
command line tool, you can manage services with actions:
aws
AWS STS Session Credentials
Provides a full sts session with credentials and region. The default return is a valid exec credential for the AWS CLI. The global --admin
flag can be used to get the credentials for an admin, or else per tenant
credentials are returned. The --interactive
flag can be used to get the credentials for an interactive session and use the cache.
Using in AWS CLI Credential Process
Here is an example for using the duploctl jit for aws in an AWS CLI config file.
Get AWS Environment Variables
Here is an example using a query and env output to create some just in time aws credentials.
duploctl jit aws -o env -q '{AWS_ACCESS_KEY_ID: AccessKeyId, AWS_SECRET_ACCESS_KEY: SecretAccessKey, AWS_SESSION_TOKEN: SessionToken, AWS_REGION: Region}'
A one liner to export those credentials as environment variables.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
nocache
|
bool
|
Do not use cached credentials. Only for other methods to use. |
None
|
Returns:
Name | Type | Description |
---|---|---|
sts |
dict
|
The AWS STS session credentials. |
gcp
GCP Access Token
Get the GCP JWT token for the current user. This is the token that is used to authenticate with the GCP API. You must be an admin to use this feature.
Using for gcloud cli access
Here is how to set the needed environment variables for the gcloud cli.
Returns:
Name | Type | Description |
---|---|---|
token |
dict
|
The GCP JWT token. |
k8s
Kubernetes JIT Exec Credentials
Provides a full exec credential for kubectl. The default return is a valid exec credential for the kubectl CLI. The global --admin
flag can be used to get the credentials for an admin, or else per tenant.
An admin can pass the --plan
or else it will be discovered from the chosen tenant. A non admin must
choose a tenant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
planId
|
PLAN
|
The planId aka name the infrastructure. |
None
|
Returns:
Name | Type | Description |
---|---|---|
credentials |
dict
|
A Kubernetes client ExecCredential. |
k8s_context
Get k8s context
Gets context based on planId or tenant name or admin or nonadmin.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
planId
|
PLAN
|
The planId of the infrastructure. |
None
|
Returns:
Name | Type | Description |
---|---|---|
context |
dict
|
The k8s context. |
token
update_aws_config
Update AWS Config
Update the AWS config file with a new profile. This will add a new profile to the AWS config file.
This will honor the AWS_CONFIG_FILE
environment variable if it is set.
This will set the aws cli credentialprocess to use the duploctl jit aws
command.
The generated command will inherit the --host
, --admin
, and --interactive
flags from the current command.
Add Admin Profile
Run this command to add an admin profile.
This generates the following in the AWS config file.Parameters:
Name | Type | Description | Default |
---|---|---|---|
name
|
NAME
|
The name of the profile to add. |
required |
Returns:
Name | Type | Description |
---|---|---|
msg |
dict
|
The message that the profile was added. |
update_kubeconfig
Update Kubeconfig
Update the kubeconfig file with a new context. This will add a new context to the kubeconfig file. This will honor the KUBECONFIG
environment variable if it is set. The generated command will inherit the --host
, --admin
, and --interactive
flags from the current command.
Add Admin Context
Run this command to add an admin context.
This generates the following user credential process in the kubeconfig file.users:
- name: myplan
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- jit
- k8s
- --plan
- myplan
- --host
- https://myportal.duplocloud.net
- --admin
- --interactive
command: duploctl
env: null
installHint: |2
Install duploctl for use with kubectl by following
https://github.com/duplocloud/duploctl
interactiveMode: IfAvailable
provideClusterInfo: false
Parameters:
Name | Type | Description | Default |
---|---|---|---|
planId
|
PLAN
|
The planId of the infrastructure. |
None
|
save
|
bool
|
Save the kubeconfig file. This is a code only option. |
True
|
Returns:
Name | Type | Description |
---|---|---|
msg |
dict
|
The message that the kubeconfig was updated. Unless save is False, then the kubeconfig is returned. |
web
Open Cloud Console
Opens a default or specified browser to the Duploclouds underlying cloud.
Currently this only supports AWS. The global --browser
flag can be used to specify a browser.
Usage:
Returns:
Name | Type | Description |
---|---|---|
msg |
dict
|
The message that the browser is opening. |