Static cloud credentials handed out for short-term contractors rarely get cleaned up, creating persistent access risks. This tutorial walks through building a self-service just-in-time (JIT) access portal using Kestra, a YAML-first workflow orchestrator, that handles cross-cloud temporary access for both AWS and Azure. The workflow lets anyone trigger an access request via a Slack slash command, routes it to an approver via Slack DM with Approve/Deny buttons, automatically provisions IAM policies on AWS and Azure role assignments, then revokes everything after the requested duration. The full Terraform and Kestra flow source code is provided on GitHub, along with production tips covering RDS for persistence, S3 for storage, duration caps, and namespace isolation per team.
Table of contents
Existing Solutions Close One Gap and Open AnotherWhat We're BuildingSetting Up Kestra on AWSPrerequisitesStep 1: The Request Form and Slack ApprovalStep 2: Provisioning Access on AWS and AzureStep 3: Automatic RevocationAudit Logs and Observability Out of the BoxTips for ProductionBeyond Access ManagementSummarySort: