Compare

AWS CLI Profiles with Just-in-Time Access Approval

Andrios Robert

Sep 13, 2025 • 1 min read

The AWS account needed elevated permissions, now. No one wanted to keep long-lived keys around. No one wanted to grant access forever. The clock was ticking.

AWS CLI–style profiles with just-in-time access approval are the way to break out of that loop. They give you the speed you want without leaving doors wide open. You ask for access. A human or automated system checks. You get a temporary key. You do the work. The key dies. Nothing lingers.

With AWS CLI, profiles are a known thing. You set them in your config. But with just-in-time (JIT) approval, those profiles are not static. They are alive, on-demand. Instead of a permanent block in the credentials file, you have a request that triggers a decision. Approvers see who is asking, what resources they want, and why. One click later, AWS gives a short-lived session token for only the time and scope approved.

Security teams stop worrying about stale IAM roles. Developers stop chasing admins for keys. Audit logs show exactly who got access, when, and for what. Compliance teams find their evidence without digging.

The core idea is simple:

No permanent AWS CLI profiles for sensitive roles.
Request access when needed.
Approve or deny in real time.
Issue temporary credentials via STS.
Expire them automatically.

This model fits tight security rules without slowing engineering. You work in the same CLI flow, switch profiles with --profile, run your commands, and move on. The difference is that the profile only works after approval and only for short bursts.

You can build this from scratch with IAM, STS, and custom approval pipelines. Or you can skip the months of integration pain. Hoop.dev gives you AWS CLI–style profiles that are bound to just-in-time access approval out of the box. You install it. Set it. And get live, auditable, temporary access flows in minutes.

See it in action. Request, approve, and switch profiles. Watch the permissions vanish when the timer runs out. Try it now with Hoop.dev and go from static keys to dynamic, secure AWS CLI sessions before your coffee cools.

Sign up for more like this.