Skip to content
jitsudo

Azure Provider

The Azure provider grants temporary elevated access by creating Azure RBAC role assignments via the ARM Authorization API. User principal IDs are resolved automatically from Entra ID (Azure AD) via the Microsoft Graph API.

How It Works

Section titled “How It Works”
  1. jitsudod resolves the user’s Azure object ID from their UPN (email) via Microsoft Graph.
  2. jitsudod looks up the role definition ID for the requested role name.
  3. A role assignment is created with a deterministic GUID derived from the request ID (enables idempotency).
  4. The credential returned is the AZURE_SUBSCRIPTION_ID of the target subscription.
  5. On revocation or expiry, jitsudod deletes the role assignment.

Prerequisites

Section titled “Prerequisites”

Service Principal / Managed Identity

Section titled “Service Principal / Managed Identity”

jitsudod needs an Entra ID identity (service principal or managed identity) with these permissions:

PermissionPurpose
Microsoft.Authorization/roleAssignments/writeCreate role assignments
Microsoft.Authorization/roleAssignments/deleteDelete role assignments on revocation
Microsoft.Authorization/roleDefinitions/readLook up role definition IDs
Microsoft.Graph/User.Read.All (API permission)Resolve user UPN → object ID

Assign these at the subscription scope (or narrower if you want to restrict to specific subscriptions).

Section titled “AKS Workload Identity (recommended)”

On AKS, use workload identity to avoid storing credentials:

Terminal window
# Create a managed identity
az identity create \
  --name jitsudo-control-plane \
  --resource-group my-resource-group


# Get the client ID
CLIENT_ID=$(az identity show \
  --name jitsudo-control-plane \
  --resource-group my-resource-group \
  --query clientId -o tsv)


# Grant it the required permissions
az role assignment create \
  --assignee "$CLIENT_ID" \
  --role "User Access Administrator" \
  --scope "/subscriptions/SUBSCRIPTION_ID"


# Grant Microsoft Graph permission (requires Entra admin)
az ad app permission add \
  --id "$CLIENT_ID" \
  --api 00000003-0000-0000-c000-000000000000 \
  --api-permissions df021288-bdef-4463-88db-98f22de89214=Role  # User.Read.All

Annotate the Helm ServiceAccount:

serviceAccount:
  annotations:
    azure.workload.identity/client-id: "<managed-identity-client-id>"

Client Secret (non-Kubernetes)

Section titled “Client Secret (non-Kubernetes)”

For non-Kubernetes deployments, use a service principal with a client secret:

Terminal window
# Create the service principal
az ad sp create-for-rbac \
  --name jitsudo-control-plane \
  --role "User Access Administrator" \
  --scopes "/subscriptions/SUBSCRIPTION_ID"

Supply the secret via the AZURE_CLIENT_SECRET environment variable (do not put it in the config file).

Configuration

Section titled “Configuration”
providers:
  azure:
    # Entra ID (Azure AD) tenant ID
    tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"


    # Default subscription ID when no resource scope is provided in requests
    default_subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"


    # Client ID of the service principal or managed identity used by jitsudod
    client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"


    # Credential source:
    # "workload_identity" — AKS managed identity or workload identity (recommended)
    # "client_secret"     — service principal with AZURE_CLIENT_SECRET env var
    credentials_source: "workload_identity"


    # Maximum elevation window
    max_duration: "4h"

Configuration Fields

Section titled “Configuration Fields”
FieldRequiredDefaultDescription
tenant_idYesEntra ID tenant ID
default_subscription_idYesFallback subscription when request scope is empty
client_idYesService principal or managed identity client ID
credentials_sourceNoworkload_identityworkload_identity or client_secret
max_durationNono capMaximum elevation window

Request Examples

Section titled “Request Examples”
Terminal window
# Request Contributor access on a subscription
jitsudo request \
  --provider azure \
  --role Contributor \
  --scope xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
  --duration 1h \
  --reason "Update AKS node pool autoscaling"


# Request Reader access on a resource group
jitsudo request \
  --provider azure \
  --role Reader \
  --scope /subscriptions/xxx/resourceGroups/my-rg \
  --duration 30m \
  --reason "Audit resource usage"

--scope values:

  • Subscription ID (UUID) — creates the assignment at subscription scope
  • Full ARM scope path (e.g. /subscriptions/xxx/resourceGroups/my-rg) — creates at that scope

Injected Credentials

Section titled “Injected Credentials”
AZURE_SUBSCRIPTION_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Use with the Azure CLI:

Terminal window
jitsudo exec req_01J8KZ... -- az vm list --subscription "$AZURE_SUBSCRIPTION_ID"

Built-in Role Names

Section titled “Built-in Role Names”

Common Azure built-in roles:

RoleDescription
OwnerFull access including RBAC management
ContributorFull access except RBAC management
ReaderRead-only access
User Access AdministratorManage RBAC assignments
Storage Blob Data ContributorRead/write Azure Blob Storage
AcrPullPull images from Container Registry

Custom role definitions are also supported — use the exact role display name.