Configure Just-in-Time (JIT) Access in Lightrun¶

Lightrun supports Just-in-Time (JIT) access using REST APIs, allowing administrators to generate ad-hoc time-restricted permissions to access sensitive agent pools for predetermined periods only as needed. Access is granted on an “as-needed” basis. For example, if a developer requires access to a specific platform for a week or as part of an on-call access to production duty.

JIT access is ideal for companies with policies and regulations restricting access to sensitive environments and requiring access to be granted for the minimal period necessary. It allows these companies to automate the provision of elevated permissions and manage them via existing processes and systems external to Lightrun.

Applying JIT access protects your production environment while not interfering with the agility developers need to access environments for resolving critical issues or supporting customer needs.

Rules and guidelines¶

• User limit per grant: A maximum of 50 users can be granted temporary access in a single grant.

• Number of simultaneous concurrent grants: Up to 100 concurrent temporary access grants are allowed at any given time. Access requests beyond this threshold will be denied.

• Access expiration period: Access rights should be time-bound, ensuring they are automatically revoked once no longer needed. Temporary access can be granted for a period of up to 31 days. Requests for a longer time period will be denied.

• Agent Pool limit per grant: A single temporary access session can grant access to a maximum of 20 agent pools.

• Least Privilege Principle: Users should be granted the minimum level of access necessary to perform their tasks.

• Audit and Compliance: All access requests and grants should be logged and monitored to maintain compliance and enable audits.

• User-friendly Automation: The system should be automated but also intuitive for users to request and receive access without extensive delays or complexities.

Prerequisite¶

Do the following prior to configuring JIT:

1. RBAC Security: Ensure that Role-Based Access Control (RBAC) features are enabled on your platform.

2. Agent Pools: Create the necessary agent pools for your engineering groups, as they will be used for debugging.

3. Agent Pool ID: You will need the Agent Pool ID when setting Just-In-Time (JIT) access on agent pools.

   To retrieve the agent-pool IDs, run the Get api/v1/agent-pool command to get a list of all agent pools.

JIT Access REST API commands¶

The following JIT Access REST APIs are supported and are described in detail in the Lightrun REST API:

• Grant JIT Access REST API: Grants temporary access to the specific agent pool for the specified period of time.

• Revoke JIT Access REST API: Revokes JIT access to an agent pool.

• Get JIT Access List REST API: Retrieves a list of all active JIT accesses currently set in the organization.

To learn more about the Lightrun REST API conventions, see Lightrun public REST API.