Apache 2.0 open source

Zero persistent
admin access.
Just in time.

JIT privileged access for AWS, Azure, GCP, and Kubernetes. Built for SREs — and the AI agents that work alongside them.

15m default TTL

4 cloud providers

0 persistent elevation

# request S3 read access for 15 min
❯ jitsudo request aws s3:GetObject \
    --ttl 15m --reason "prod debug"
Submitting request...
✓ Auto-approved (trust tier 3)
Session: jit-a1b2c3d4
Expires: 14:47 UTC

# confirm active sessions
❯ jitsudo sessions --active
ID            RESOURCE     TTL  STATUS
jit-a1b2c3d4  aws/s3:Get*  12m  active

# access auto-revokes at expiry
❯ █

ARCHITECTURE

Control plane you deploy,
providers you trust

A lightweight daemon handles all elevation logic. Humans approve via Slack. AI agents request via MCP. Everything expires automatically.

REQUESTORS

CLI (jitsudo)

MCP server

Slack bot

OIDC / gRPC

›

CONTROL PLANE

jitsudod

OPA PostgreSQL

provider plugin

›

PROVIDERS

AWS IAM

Azure AD

GCP IAM

Kubernetes RBAC

WHY JITSUDO

Built for the agentic era

AI agent native

MCP server interface lets agents request JIT access without human-in-the-loop for pre-approved patterns.

Zero persistent elevation

All access grants expire automatically. No standing admin roles, ever.

Policy as code

OPA-backed policies live in git. Who, what, when — fully auditable and version-controlled.

Multi-cloud

AWS, Azure, GCP, and Kubernetes via a unified provider plugin interface.

Audit-first

Every request, approval, and expiry written to a unified, tamper-evident audit log.

Self-hosted

Deploy with Docker Compose or Helm. No cloud dependency, no SaaS vendor lock-in.

Ready to drop persistent admin access?

Open source. Self-hosted. Apache 2.0 CLI.

Read the docs Get started →

Zero persistent admin access. Just in time.

Control plane you deploy,providers you trust