Just-In-Time (JIT)
Secrets Access
Eliminate standing privileges. HighSubmit generates short-lived scoped credentials that auto-expire, reducing your infrastructure attack surface.
The Danger of Standing Privileges
Traditional secrets management relies on static credentials that stay valid indefinitely. If a developer's machine or environment is compromised, attackers gain permanent backdoor access. Just-in-Time (JIT) configuration removes this security risk by keeping credentials closed until explicitly requested.
How Auto-Expiry Works
When a platform engineer requests access, HighSubmit verifies their SSO identity and generates a scoped token with a default lifespan of 15 minutes. Once the session window closes, the credentials are automatically revoked by the vault, ensuring zero leftover session keys.
CLI Workflow Example
# Request scoped temporary session credentials for staging database
$ hs session request --scope staging-db --duration 15m
✔ SSO Verification Successful via Okta
✔ Session Token Generated (Expires in 15:00)
# Secret injected securely into current environment shell
$ echo $DATABASE_URL
postgresql://temp-user:[email protected]:5432/db
JIT Access FAQs
What is the default duration for JIT tokens?
HighSubmit tokens are scoped to expire in 15 minutes by default, but administrators can adjust limits based on specific team needs.
Can JIT events be tracked?
Yes, every token request, SSO validation check, and expiration event is immediately logged inside our immutable audit trail for compliance tracking.