Cloudanix Joins AWS ISV Accelerate Program
Agentic JIT · Build Workflow

Your CI/CD pipeline.
without AdministratorAccess on the build host, without long-lived access keys in 47 workflow secrets, without nine weeks of post-mortem when a build step gets compromised

Today, your Jenkins host runs under a permanent IAM role with AdministratorAccess, your GitHub Actions have long-lived access keys in 47 workflow secrets, and CloudTrail says “JenkinsDeployRole did it” with no link back to the commit. Agentic JIT for Build flips it: register the pipeline as a Cloudanix Agent, drop in the cloudanix-jit shared library (Jenkins, GHA, GitLab, Bitbucket — native to each), wrap the privileged step in an elevate block. The policy attaches for 30s and detaches the moment the step exits.

✓ Jenkins shared library · GitHub Action · GitLab template · Bitbucket Pipe · raw API CLOUDANIX_AUTH_TOKEN + CLOUDANIX_AGENT_ID · that's the entire wiring ✓ Per-step elevation · audit links agent → workflow → commit → action
Jenkins CI Agent · Instructions Build Workflow
Source GitHub GitLab Bitbucket Jenkins API
Library cloudanix-jit
Auth token CLOUDANIX_AUTH_TOKEN · ••••••••
Agent ID CLOUDANIX_AGENT_ID · ••••-••••-••••
Prereq Outbound HTTPS to api.cloudanix.com
Jenkinsfile · my-app · main
wrap the deploy step · not the whole pipeline
cloudanix-jit · shared library v3.4
@Library('cloudanix-jit') _
stage('Deploy') {
  cloudanixElevate(
    policy: 'AmazonECS-FullAccess',
    ttl: '15m', reason: 'main → prod'
  ) { sh 'aws ecs update-service ...' } }
Jenkins · my-app · build #142 · console output
commit a7c1f24 · PR #91
✓ elevateAmazonECS-FullAccess attached to JenkinsDeployRole · 15m
→ shaws ecs update-service · cluster prod · service api
✓ okservice stable · new task definition rolled
✓ revokepolicy detached · audit → S3
elevated for 38 seconds · of a 4-minute build not the whole pipeline
The problem

Your CI/CD is a supply-chain attack vector wearing a security badge.

You tightened human access. Meanwhile a single npm install step in any of your pipelines runs under a role that can delete production. The audit trail says “JenkinsDeployRole did it” — which doesn't answer which build, which commit, which PR.

🛠

Jenkins owns the keys to the kingdom

Your Jenkins controller and agents run under a permanent IAM role with AdministratorAccess — or a 200-line policy that grew organically over three years. Shell on the build host, or a malicious transitive dependency in any job, inherits the full blast radius for the host's entire lifetime.

🔑

Long-lived keys in 47 workflows

GitHub Actions, GitLab CI, Bitbucket Pipelines — each repo's secret store keeps long-lived access keys. 200 repos × ~3 secrets = 600 standing credentials. Each rotation is a quarterly tax. Each leak is the next post-mortem. Most never get rotated.

🧾

Audit dies at the federated role

CloudTrail says JenkinsDeployRole deleted the bucket. Auditors ask which build, which commit, which PR. You scroll Jenkins' build history to guess. The trail ends at the role name — not at the engineer's diff.

The privilege window is 90 minutes

The deploy step needs the policy for ~30 seconds. The build job holds the role for the full 90-minute build. That's 89 minutes and 30 seconds of unnecessary privilege — available to every step before and after the privileged one, including linting and downloading test fixtures.

Three-step shape

Register the library. Add two credentials. Wrap the step.

One shared library, two secrets, one keyword in your Jenkinsfile. GitHub Actions, GitLab CI, Bitbucket Pipelines follow the same shape.

  1. 1

    Register the library

    Point Jenkins at the cloudanix-jit shared library. One time, per controller.

  2. 2

    Add two credentials

    CLOUDANIX_AUTH_TOKEN and CLOUDANIX_AGENT_ID — copied from the agent's Instructions tab. Done.

  3. 3

    Wrap the privileged step

    cloudanixElevate(policy, ttl) { sh '...' } around the deploy / Terraform / migration step. The library handles attach, TTL countdown, and revoke — even on failure.

Native to your CI

One contract. Four flavours of pipeline.

Jenkins shared library, GitHub Action, GitLab CI template, Bitbucket Pipe. Same primitive (elevate · do work · revoke), same audit, same boundary — native to whichever pipeline runner you already own.

Jenkinsfile · my-app · deploy stage
jenkins-deploy-agent Declarative pipeline, deploying main to prod ECS. Wrap the sh 'aws ecs update-service' step in a 15-minute elevation. Library handles the API call and explicit revoke on block exit.
Jenkins · build #142
J
cloudanixElevate()
Cloudanix JIT
attach policy
JenkinsDeployRole
scope granted policy: AmazonECS-FullAccess · ttl: 15m · workflow: my-app #142 · commit: a7c1f24 
@Library('cloudanix-jit') _
stage('Deploy') {
  cloudanixElevate(
    policy: 'AmazonECS-FullAccess', ttl: '15m'
  ) {
    sh 'aws ecs update-service ...'
  }
}
✓ Stamped agent → workflow → commit → action ⛔ Revoked on block exit (try/finally)
.github/workflows/deploy.yml · cloudanix/jit-elevate
gha-deploy-agent GitHub Actions step pulls an OIDC token from GitHub, exchanges it with Cloudanix for short-lived elevation. Zero long-lived secrets in the repo.
⚠ OIDC mode · no static creds in the repo ✓ Per-workflow elevation, audited to commit
GHA run · PR #91
uses: cloudanix/jit-elevate
Cloudanix JIT
OIDC token swap
GHADeployRole
scope granted policy: S3-DeployBundle · ttl: 10m · repo: org/my-app · pr: 91 · sha: a7c1f24 
- uses: cloudanix/jit-elevate@v1
  with:
    policy: 'S3-DeployBundle'
    ttl: '10m'
- run: aws s3 sync ./build s3://prod-assets/
✓ Stamped run-id → commit → PR → policy ⛔ Auto-revoke on job completion
.gitlab-ci.yml · terraform-apply job
gitlab-terraform-agent Terraform apply against prod. Needs broad write for one shot, every two weeks. Elevate just for the terraform apply step — not for plan, fmt, or validate.
GitLab pipeline
🦊
include template
Cloudanix JIT
attach policy
TerraformRunnerRole
scope granted policy: TF-Apply-Prod · ttl: 30m · project: infra/network · pipeline: 8421 
include:
  - project: 'cloudanix/jit-ci'
    file: 'elevate.gitlab-ci.yml'
terraform-apply:
  script:
    - !reference [.cloudanix_elevate, script]
    - terraform apply -auto-approve
✓ Stamped project → pipeline → job → action ⛔ Revoked on script-end · even if apply fails
bitbucket-pipelines.yml · data-sync step
bb-sync-agent Bitbucket pipeline copies last night's analytics dump from S3 to a partner-shared GCS bucket. Cross-cloud, needs scoped read+write only for the duration of the copy.
Bitbucket Pipe
🪣
pipe: cloudanix/jit-elevate
Cloudanix JIT
multi-cloud scope
DataSyncRole
scope granted policy: S3-Read + GCS-Write · ttl: 20m · workspace: dataops · pipeline: #224 
pipelines:
  custom:
    nightly-sync:
      - pipe: cloudanix/jit-elevate:1.0.0
        variables:
          POLICY: 'S3-Read + GCS-Write'
          TTL: '20m'
      - step: { script: ['./sync.sh'] }
✓ Stamped workspace → pipeline → policy chain ⛔ Revoke fires from a final step (always-run)
also · same primitive CircleCI Buildkite TeamCity Drone CI ArgoCD Flux AWS CodeBuild Azure DevOps Tekton Spinnaker Concourse …anything that can curl · raw API
The model

DevOps writes the Jenkinsfile. Security writes the boundary.

What the build team gets
  • One library, one wrapper, one keyword — cloudanixElevate { ... } — per pipeline language
  • The Jenkinsfile / workflow YAML says exactly what privilege it needs, in code review, next to the diff
  • No more “rotate the access keys” quarterly tax — auth tokens are scoped, short, and rotatable from one place
  • Build fails fast on policy-out-of-bounds — not silently grants and burns prod
one keyword. zero long-lived secrets.
What security keeps
  • Zero standing access on every Jenkins controller, agent, and ephemeral runner
  • Per-agent policy boundary — a pipeline can't request anything its registered agent isn't allowed to grant
  • Bounded max-session-duration enforced at the API — the pipeline can't hold the elevation past the ceiling
  • One audit linking action → agent → build → commit → PR — the trail no longer dies at JenkinsDeployRole
Governance & audit stay in your account.
Audit chain

Action → agent → build → commit → PR. End of investigation.

Every elevation lands as a correlated timeline — agent identity, build URL, commit SHA, the PR that triggered it, every API call made under the elevated policy, the revoke. When CloudTrail says ecs:UpdateService, you click through to the diff in two hops.

elevation timeline · elev-9c11f3a8 · jenkins-deploy-agent · build #142 
[14:00:14]  ELEVATE      jenkins-deploy-agent · AmazonECS-FullAccess · 15m
[14:00:14]  POLICY-CHECK boundary OK · within agent permitted policies
[14:00:15]  IAM EVENT    attach-role-policy → JenkinsDeployRole
[14:00:18]  ACTION       ecs:UpdateService · cluster prod · service api
[14:00:19]  ACTION       ecs:DescribeServices · cluster prod
[14:00:52]  REVOKE       SDK call from pipeline · build step finished
[14:00:52]  IAM EVENT    detach-role-policy → JenkinsDeployRole
[14:00:53]  AUDIT        written to s3://your-bucket/jit-agents/
1:14 / 2:00
agent · jenkins-deploy-agent workflow · my-app #142 commit · a7c1f24 ttl · 15m (used 38s)

  • End-to-end elevation, one view

    SDK call → boundary check → IAM event → every API action under the elevated identity → revoke. No more correlating CloudTrail with Jenkins build logs with the GitOps PR.

  • 🧾

    Evidence-grade for SOC 2 · ISO · PCI

    Pull a quarterly report of every elevation by every NHI — agent, workflow, commit, action chain, exact-second revoke. Auditors love the “agent → commit” link — no more “the CI box did it.”

  • 🔗

    Sits in your data plane

    Audit writes to your S3 / Azure Blob / GCS, not ours. Send your auditor a signed URL scoped to one elevation or a whole quarter. The link expires. Nothing copied, nothing leaked.

Plugs in · doesn't replace

Your CI runner. Your cloud. Our JIT in between.

Jenkins stays Jenkins. GitHub Actions stays GHA. AWS IAM stays the source of truth. Cloudanix sits between the pipeline and the role attachment, making policies attach for 30 seconds, not forever.

CI/CD & pipeline orchestrators · native library

Jenkins · shared library
GitHub Actions · cloudanix/jit-elevate
GitLab CI · include template
Bitbucket Pipelines · pipe
CircleCI · orb
Buildkite · plugin
AWS CodeBuild · script
Azure DevOps · task
ArgoCD · pre-sync hook
Anything that can curl · raw API

Cloud targets for elevation

AWS · IAM Role · IAM User
Azure · Service Principal · Managed Identity
GCP · Service Account
Multi-account · cross-account assume
OIDC · keyless federation
Static + Dynamic (coming) auth modes
What you get

A blast-radius your CIO can defend — without re-platforming Jenkins.

Zero standing AdminAccess

The Jenkins controller IAM role can sit empty — every elevation is just-in-time. Shell on the host inherits nothing.

🧩

Native to your CI

Jenkins shared library, GitHub Action, GitLab template, Bitbucket Pipe. Same primitive, same elevate · revoke contract.

Per-step, not per-pipeline

30 seconds of privilege inside a 4-minute build — not 4 minutes of privilege. The blast radius shrinks by the runtime ratio.

🧱

Boundary-enforced at the API

The pipeline cannot request a policy outside the registered agent's permitted set. A typo in the Jenkinsfile is a build failure, not a privilege escalation.

🔑

Kill long-lived workflow secrets

Two scoped, rotatable creds per repo (CLOUDANIX_AUTH_TOKEN · CLOUDANIX_AGENT_ID) replace the 600 long-lived access keys across your stack.

🔁

Revoke even on failure

The wrapper revokes the policy whether the sh step succeeds, fails, or the build is cancelled. There's no “forgot to clean up” window.

🧾

Audit: agent → build → commit → PR

Click from an audit-trail entry straight to the build page, then to the commit SHA, then to the PR diff and the engineer who shipped it.

Multi-cloud · one model

AWS IAM Role, Azure Service Principal, GCP Service Account — one Jenkinsfile, one agent, one elevation API. Cross-cloud pipelines stop being a snowflake.

🤝

OIDC-native (keyless) when you want it

GitHub Actions and modern Jenkins setups can swap an OIDC token for Cloudanix elevation — zero static secrets, even for the auth token. Pick keyless wherever your runner supports it.

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo