jitsudo approve / deny
Approve or deny a pending elevation request. These commands require an approver role as determined by your organization’s OPA policies.
Synopsis
Section titled “Synopsis”jitsudo approve <request-id> [--comment <text>]jitsudo deny <request-id> --reason <text>Description
Section titled “Description”jitsudo approve transitions a PENDING request to APPROVED, which immediately triggers credential issuance. The requester’s credentials become available as soon as they run jitsudo exec or jitsudo shell.
jitsudo deny transitions a PENDING request to REJECTED. The denial reason is recorded in the audit log and returned to the requester.
Both commands require exactly one positional argument: the request ID to act on. Use jitsudo status --pending to list requests awaiting action.
jitsudo approve
Section titled “jitsudo approve”| Flag | Required | Description |
|---|---|---|
--comment <text> | No | Optional approval comment recorded in the audit log |
jitsudo deny
Section titled “jitsudo deny”| Flag | Required | Description |
|---|---|---|
--reason <text> | Yes | Reason for denial (recorded in audit log and visible to requester) |
Global Flags
Section titled “Global Flags”| Flag | Default | Description |
|---|---|---|
--server <url> | Stored credentials | Control plane URL |
--token <token> | Stored credentials | Bearer token override |
-o, --output <format> | table | Output format: table, json, yaml |
-q, --quiet | false | Suppress non-essential output |
--debug | false | Enable debug logging |
Examples
Section titled “Examples”# List requests waiting for your approvaljitsudo status --pending
# Approve a request with an optional commentjitsudo approve req_01J8KZ4F2EMNQZ3V7XKQYBD4Wjitsudo approve req_01J8KZ4F2EMNQZ3V7XKQYBD4W --comment "Approved for INC-4421 response"
# Deny a request (reason is required)jitsudo deny req_01J8KZ4F2EMNQZ3V7XKQYBD4W \ --reason "Not authorized for production access outside change windows"Output
Section titled “Output”# approveRequest req_01J8KZ4F2EMNQZ3V7XKQYBD4W → APPROVED
# denyRequest req_01J8KZ4F2EMNQZ3V7XKQYBD4W → REJECTEDApprover Workflow
Section titled “Approver Workflow”A typical approver session:
# 1. See what needs approvaljitsudo status --pending
# 2. Review the specific requestjitsudo status req_01J8KZ4F2EMNQZ3V7XKQYBD4W
# 3. Approve or denyjitsudo approve req_01J8KZ4F2EMNQZ3V7XKQYBD4W --comment "Looks good"Policy Enforcement
Section titled “Policy Enforcement”Whether a user can approve a request is governed by the approval OPA policy. The policy can:
- Restrict approval to specific groups (e.g. only
sre-oncallcan approve production access). - Require multiple approvers.
- Auto-approve requests meeting certain criteria (short duration, low-risk role).
See the Writing Policies guide for details on the approval policy input schema.