When teams manage access to sensitive systems, keeping permissions tight without interrupting workflows is a constant challenge. Just-In-Time (JIT) access approval offers a solution by granting temporary access only when it’s needed. While some organizations use platforms to automate these workflows, shell scripting can provide a lightweight way to implement JIT within your existing infrastructure.
In this post, we’ll explore how to build shell scripts for Just-In-Time access approval. We’ll walk through the essentials, explain key concepts, and provide actionable examples so you can automate secure, temporary permissions.
What is Just-In-Time Access Approval?
JIT access approval ensures users only get temporary access to resources after explicit approval. Instead of keeping static access permissions, it enables workflows that dynamically assign roles or credentials based on active requests.
Why does it matter?
- Reduce Risk: Employees or contractors aren’t stuck with permanent access to critical tools or services.
- Compliance-Friendly: Temporary permissions help meet regulatory standards like CIS, GDPR, or ISO.
- Streamlined Ops: Teams don’t need to waste time managing access manually.
By creating your own approval flow using shell scripts, you control how requests happen, who approves them, and how permissions are applied, without relying on external tools.
Building Blocks for JIT Access with Shell Scripts
Here’s what you need to implement Just-In-Time access approval via shell scripting:
1. Request Workflow
A user submits a request for access. This can be as simple as filling out a form, sending an email, or executing a command that logs the request.
echo "$(date): User $USER requested access to $RESOURCE">> /var/log/jit_access.log
2. Approval Mechanism
Approvals ensure that access isn’t automatically granted. Keep approvers in the loop while building safeguards against abuse. Automate notifications using email or chat integrations.
if [ "$approval_status"== "approved"]; then
echo "$(date): Access approved for $USER">> /var/log/jit_access.log
else
echo "Access denied or pending!"
fi
3. Temporary Access Tokens
Generate credentials for the user once approved. Time limits can be implemented with tools like at or cron to expire access after a set duration.
# Grant access for 1 hour
adduser --expiredate=$(date -d '+1 hour') $USER
echo "$(date): Provisioned temporary access for $USER">> /var/log/jit_access.log
4. Revocation Process
In JIT workflows, safety depends on ensuring access automatically terminates after the allowed time. Build in cleanup mechanisms to remove temporary user accounts or roles.
# Revoke access
deluser $USER
echo "$(date): Revoked access for $USER">> /var/log/jit_access.log
Step-by-Step Scripting Workflow for JIT Access
Define the Flow:
Here’s a simple sequence to handle JIT access requests:
- Request Submission: Log access details (user, resource, request time).
- Notify Approvers: Alert a decision-maker for approval or rejection.
- Approval Grant & Notify: On approval, create a temporary user/token and inform the requester.
- Log All Events: Track requests, approvals, temporary credentials, and automatic revocations.
Here’s how a sample end-to-end script might look:
#!/bin/bash
# User requests access
USER="johndoe"
RESOURCE="DatabaseX"
LOG="/var/log/jit_access.log"
EXPIRY="1 hour"
echo "$(date): User $USER requested access to $RESOURCE">> $LOG
# Notify approver (Script Hook)
read -p "Approve access for $USER to $RESOURCE (y/n)? "approval_status
if [ "$approval_status"== "y"]; then
# Provision temporary access
adduser --expiredate=$(date -d "+$EXPIRY") $USER
echo "$(date): Temporary access granted to $USER for $EXPIRY">> $LOG
# Schedule Revocation
echo "deluser $USER && echo "$(date): Revoked access for $USER" >> $LOG"| at now + $EXPIRY
echo "Access has been provisioned for $EXPIRY."
else
echo "$(date): Access denied for $USER">> $LOG
echo "Request denied."
fi
Modify and expand this as per your organization’s specific tools (e.g., integrate REST APIs, Slack bots, or IAM-level tooling).
Challenges and How to Solve Them
1. Real-Time Notifications
Use CLI tools like sendmail, curl for Slack/MS Teams APIs, or notify-send on Linux to notify approvers without manual intervention.
echo "Access request pending for $USER"| mail -s "JIT Access Request"admin@company.com
2. Token Expiry Accuracy
When using tools like at, ensure servers handle timezones uniformly (consider UTC) to avoid issues where expiration doesn’t match the original intent.
3. Auditing
Standard logging works, but routing logs to a centralized system like AWS CloudWatch or Elastic Stack ensures visibility and compliance.
Why Shell Scripts for JIT Access
- Customization: Modify workflows and approval logic to suit your pipelines.
- Lightweight: No heavy dependencies – uses native system tools.
- Control: Directly integrate with your team’s existing infra without vendor lock-in.
Of course, as access needs scale, DIY automation with scripts can become hard to maintain. That’s where solutions like Hoop.dev simplify JIT workflows, offering a more robust, real-time implementation.
Test it Live
You’ve seen how shell scripts enable just-in-time access automation. But why stop at scripts? With Hoop.dev, you can automate, audit, and simplify this process across distributed teams in minutes.
Get started now – no setup overhead, no manual scripting. See for yourself how seamless JIT access can be.