Skip to content

Jit

Bases: DuploResource

Just In Time (JIT) Resource

Just in time access for AWS. This will use Duplo credentials to ask a certain Duplo portal for temporary AWS credentials. These credentials will be valid for a certain amount of time and will be used to access AWS resources.

Usage

using the duploctl command line tool, you can manage services with actions:

duploctl jit <action>

aws

AWS STS Session Credentials

Provides a full sts session with credentials and region. The default return is a valid exec credential for the AWS CLI. The global --admin flag can be used to get the credentials for an admin, or else per tenant credentials are returned. The --interactive flag can be used to get the credentials for an interactive session and use the cache.

Basic Usage
duploctl jit aws
Using in AWS CLI Credential Process

Here is an example for using the duploctl jit for aws in an AWS CLI config file.

[profile myportal]
region=us-west-2
output=json
credential_process=duploctl jit aws --host https://myportal.duplocloud.net --admin --interactive
Get AWS Environment Variables

Here is an example using a query and env output to create some just in time aws credentials.

duploctl jit aws -o env -q '{AWS_ACCESS_KEY_ID: AccessKeyId, AWS_SECRET_ACCESS_KEY: SecretAccessKey, AWS_SESSION_TOKEN: SessionToken, AWS_REGION: Region}'

A one liner to export those credentials as environment variables.

for i in `duploctl jit aws -q '{AWS_ACCESS_KEY_ID: AccessKeyId, AWS_SECRET_ACCESS_KEY: SecretAccessKey, AWS_SESSION_TOKEN: SessionToken, AWS_REGION: Region}' -o env`; do export $i; done

Parameters:

Name Type Description Default
nocache bool

Do not use cached credentials. Only for other methods to use.

None

Returns:

Name Type Description
sts dict

The AWS STS session credentials.

gcp

GCP Access Token

Get the GCP JWT token for the current user. This is the token that is used to authenticate with the GCP API. You must be an admin to use this feature.

Using for gcloud cli access

Here is how to set the needed environment variables for the gcloud cli.

for i in $(duploctl jit gcp -q '{CLOUDSDK_AUTH_ACCESS_TOKEN: Token, CLOUDSDK_CORE_PROJECT: ProjectId}' -o env); do export $i; done
Usage
duploctl jit gcp

Returns:

Name Type Description
token dict

The GCP JWT token.

k8s

Kubernetes JIT Exec Credentials

Provides a full exec credential for kubectl. The default return is a valid exec credential for the kubectl CLI. The global --admin flag can be used to get the credentials for an admin, or else per tenant. An admin can pass the --plan or else it will be discovered from the chosen tenant. A non admin must choose a tenant.

Usage
duploctl jit k8s

Parameters:

Name Type Description Default
planId PLAN

The planId aka name the infrastructure.

None

Returns:

Name Type Description
credentials dict

A Kubernetes client ExecCredential.

k8s_context

Get k8s context

Gets context based on planId or tenant name or admin or nonadmin.

Parameters:

Name Type Description Default
planId PLAN

The planId of the infrastructure.

None

Returns:

Name Type Description
context dict

The k8s context.

token

Get JWT Token

Get the JWT token for the current user. This is the token that is used to authenticate with the Duplo API.

Usage
duploctl jit token

Returns:

Name Type Description
token dict

The JWT token.

update_aws_config

Update AWS Config

Update the AWS config file with a new profile. This will add a new profile to the AWS config file. This will honor the AWS_CONFIG_FILE environment variable if it is set. This will set the aws cli credentialprocess to use the duploctl jit aws command. The generated command will inherit the --host, --admin, and --interactive flags from the current command.

Usage
duploctl jit update_aws_config myprofile
Add Admin Profile

Run this command to add an admin profile.

duploctl jit update_aws_config myportal --admin --interactive
This generates the following in the AWS config file.
[profile myportal]
region = us-west-2
credential_process = duploctl jit aws --host https://myportal.duplocloud.net --interactive --admin

Parameters:

Name Type Description Default
name NAME

The name of the profile to add.

required

Returns:

Name Type Description
msg dict

The message that the profile was added.

update_kubeconfig

Update Kubeconfig

Update the kubeconfig file with a new context. This will add a new context to the kubeconfig file. This will honor the KUBECONFIG environment variable if it is set. The generated command will inherit the --host, --admin, and --interactive flags from the current command.

Usage
duploctl jit update_kubeconfig --plan myplan
Add Admin Context

Run this command to add an admin context.

duploctl jit update_kubeconfig --plan myplan --admin --interactive
This generates the following user credential process in the kubeconfig file.
users:
- name: myplan
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - jit
      - k8s
      - --plan
      - myplan
      - --host
      - https://myportal.duplocloud.net
      - --admin
      - --interactive
      command: duploctl
      env: null
      installHint: |2

        Install duploctl for use with kubectl by following
        https://github.com/duplocloud/duploctl
      interactiveMode: IfAvailable
      provideClusterInfo: false

Parameters:

Name Type Description Default
planId PLAN

The planId of the infrastructure.

None
save bool

Save the kubeconfig file. This is a code only option.

True

Returns:

Name Type Description
msg dict

The message that the kubeconfig was updated. Unless save is False, then the kubeconfig is returned.

web

Open Cloud Console

Opens a default or specified browser to the Duploclouds underlying cloud. Currently this only supports AWS. The global --browser flag can be used to specify a browser.

Usage:

duploctl jit web --browser chrome

Returns:

Name Type Description
msg dict

The message that the browser is opening.