A Guide to Just-in-Time Access in Code Execution

How can you give developers just-in-time access, temporary precise permissions, when they run code on shared servers?

Most organizations still let engineers log into a build box or CI runner with a long‑lived SSH key or a static service account. The key is copied to the host, stored in a vault, and then reused for weeks or months. When a developer runs a script, the process inherits that credential and can reach any database, internal API, or storage bucket the key was originally granted for. There is no record of who executed which command, no way to hide passwords that appear in logs, and no checkpoint to stop a dangerous operation before it runs.

That state satisfies the immediate need to get code running, but it creates a blind spot for security teams. A compromised key can be used to pivot across services, and auditors have no evidence of the exact commands that were issued. The blast radius of a single breach can expand dramatically because the same credential is trusted everywhere.

Why just-in-time access matters for code execution

Just-in-time access means granting a permission only for the moment it is needed, and revoking it automatically afterward. In a code‑execution context, the developer asks for a specific capability, read a secret, write to a table, or deploy a container, and receives a short‑lived token that expires as soon as the job finishes. This limits the window an attacker can abuse a credential and reduces the risk of lateral movement.

Beyond limiting time, just-in-time access also scopes the permission to the exact resource and operation. Instead of a blanket "read‑all‑databases" role, the request might be "read the customers table for the reporting job". The tighter the scope, the smaller the impact of a mistake.

The missing control: a data‑path gateway

Even with identity providers that can issue short‑lived tokens, the request still travels directly from the runner to the target service. That direct path gives the runner full control over the network connection, meaning it can bypass any policy checks, hide commands, or replay traffic. Without an enforcement point that sits between the identity and the resource, you cannot guarantee that every request is evaluated, recorded, or masked.

What you need is a Layer 7 gateway that intercepts the protocol, evaluates the request against policy, and only then forwards it. The gateway must be able to:

Validate the just-in-time token against the identity provider.
Enforce fine‑grained rules before the command reaches the service.
Record the full session for later replay.
Mask sensitive fields in responses so they never appear in logs.

Only a gateway placed in the data path can provide these guarantees.

Continue reading? Get the full guide.

Just-in-Time Access + Secret Detection in Code (TruffleHog, GitLeaks): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Introducing hoop.dev as the enforcement layer

hoop.dev is built exactly for this role. It sits between identities and infrastructure, acting as an identity‑aware proxy for code‑execution workloads such as SSH, RDP, or container runtimes. When a developer initiates a job, hoop.dev receives the request, validates the just-in-time token, and applies policy before allowing traffic to the target.

Setup: identity and least‑privilege grants

Authentication is handled via OIDC or SAML. The gateway trusts the token, extracts group membership, and maps it to a set of scoped permissions. Because the token is short‑lived, the underlying credential never leaves the gateway, satisfying the principle of least privilege.

The data path: where hoop.dev enforces

All traffic for code execution passes through hoop.dev. Because the gateway is the only point that can forward packets, it is the sole place where enforcement can happen. No agent or runner can bypass the checks without breaking the connection.

Enforcement outcomes

hoop.dev records each session, creating an audit trail that shows who ran which command and when. It masks sensitive fields in real‑time, preventing passwords or tokens from leaking into logs. When a request exceeds policy, hoop.dev blocks the command before it reaches the target. For high‑risk operations, hoop.dev can pause the request and require a human approver, delivering just‑in‑time approval. Finally, the gateway stores a replayable stream of the session so investigators can reconstruct exactly what happened.

These outcomes exist only because hoop.dev occupies the data path; without it, the runner would retain unchecked access.

Getting started

To try this model, follow the getting started guide and review the learn page for deeper details on policy configuration and session replay. The repository on GitHub contains the full open‑source code and example deployments.

FAQ

Is just‑in‑time access compatible with existing CI pipelines?

Yes. CI jobs can request a short‑lived token from the identity provider, then hand it to hoop.dev, which will enforce the scoped policy before the job reaches any downstream service.

What happens to a session if the runner crashes?

hoop.dev continues to record the session until the connection is closed. The recorded stream is stored independently of the runner, ensuring a complete audit trail.

Can I use hoop.dev with multiple identity providers?

hoop.dev supports any OIDC or SAML provider, so you can federate across Azure AD, Google Workspace, Okta, or any SAML‑compatible IdP.

Ready to see the code? View the source on GitHub and start securing your code execution with just‑in‑time access today.