Extend validity of existing activation

[eric-zhang-aus]

there is an issue we are facing right now, say our pipline needs the access for at least 60 minutes , but then the JIT access expires in about 20 minutes. we jumped on the JIT tool but we are not able to re-generate the new acesss cause its already active. it would be really nice if we could extend already active access. Thanks.

[apsoto]

We have similar need.

We are evaluating this tool for an AWS to GCP migration and we already know this is something we need.

Long running terraform apply's can sometimes cause session timeouts (in our AWS environment), therefore we use a similar tool that will detect when a session is close to expiring and will renew it so we don't fail the apply while still deploying.

This limitation will probably force us to extend the timeout to much longer than needed, somewhat defeating the purpose of just in time access.

[jpassing]

Yes, this seems like a useful feature to add -- at least for roles that don't require multi-party approval.

In case of multi-party approval, extending access should require another party to re-approve. But then there's obviously a risk that the other party reacts too late and access expires in the mean time.

[jpassing]

Version 1.7 now lets you extend an existing activation by simply requesting access to the same role again.

The UI now also shows how much time you have left before an activation expires:

I'll close this issue now that the feature is available. Feel free to re-open it or file a new issue if there's anthing missing or not quite working as expected.