Skip to main content

JIT Request Issues

This page covers common problems with requesting, approving, and managing Just-In-Time access sessions in the Prism JIT Portal.

Request Stuck in Pending

Problem: You submitted a JIT access request, but it has been in "Pending" status for an extended period with no approval or rejection.

Cause: There is no available approver for the target AWS account. Approval requires an account owner (or admin for certain request types) to review and act on the request. If no account owners have been assigned, no one receives the request for review.

Solution:

  1. Check with your organization's Prism administrator whether account owners have been configured for the target AWS account.
  2. The administrator can assign account owners in the Admin Portal under AWS Accounts > Manage Owners.
  3. If account owners are assigned, the approver may simply not have reviewed the request yet. Contact them directly if the request is urgent.
  4. For custom permission set requests, remember that two levels of approval are required (account owner, then admin). The request may be waiting for the second-level approval.

"No Accounts Available"

Problem: When trying to create a JIT access request, the account dropdown shows no available accounts, or you see a message that no accounts are available.

Cause: No AWS accounts have been onboarded to Prism, or you do not have visibility into any accounts.

Solution:

  1. Contact your Prism administrator to verify that AWS accounts have been onboarded in the Admin Portal under AWS Accounts.
  2. Verify that permission sets exist. Accounts will only appear if there are valid permission sets available for them.
  3. If you are a new user, your administrator may need to complete initial configuration before JIT access is available.

Custom Permission Set Validation Fails

Problem: When submitting a JIT request with a custom permission set, the request fails validation with an error about the inline policy.

Cause: The custom inline policy JSON you provided is not valid IAM policy syntax. AWS IAM policies must follow a strict JSON structure with specific fields and values.

Solution:

  1. Verify your inline policy JSON is valid:
    • It must be properly formatted JSON (no trailing commas, correct brackets).
    • It must include a Version field (typically "2012-10-17").
    • It must include at least one Statement with Effect, Action, and Resource fields.
  2. Example of a valid inline policy: 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::my-bucket",
            "arn:aws:s3:::my-bucket/*"
          ]
        }
      ]
    }
  3. Use the AWS IAM Policy Simulator or the AWS documentation to validate your policy syntax.
  4. Check that the total policy size does not exceed AWS IAM policy size limits.

Session Expired Unexpectedly

Problem: Your JIT access session expired before you expected it to, or you lost access to the AWS account sooner than planned.

Cause: The actual session duration is determined by the shorter of two values: the duration you requested when creating the JIT request, and the session duration configured on the permission set. If the permission set has a 1-hour session duration and you requested 4 hours, your effective session may still be limited.

Solution:

  1. When creating a JIT request, note the session duration you are requesting.
  2. Check with your administrator what session duration is configured on the permission set you are using. The administrator can view this in Permission Sets in the Admin Portal.
  3. If you need longer sessions, ask your administrator to increase the session duration on the relevant permission set.
  4. For extended work, plan to submit a new JIT request before your current session expires.

Cannot Approve Request

Problem: You can see a pending JIT request but cannot approve or reject it. The approve/reject buttons are disabled or missing.

Cause: Your role or account ownership status does not grant you approval authority for this specific request. Different request types require different approvers.

Solution:

  1. For standard permission set requests: You must be an account owner for the target AWS account, or have Admin/SSO Admin role.
  2. For custom permission set requests (owner approval step): You must be an account owner for the target AWS account.
  3. For custom permission set requests (admin approval step): You must have the SSO Admin or Admin role.
  4. If you believe you should be able to approve the request:
    • Verify that you are listed as an account owner for the target account in AWS Accounts > Manage Owners in the Admin Portal.
    • Verify your role in the JIT portal by checking your profile or contacting your administrator.
  5. Contact your administrator to verify your approval authority for the target account.

Multi-Level Approval Not Progressing

Problem: A custom permission set JIT request was approved by the account owner, but it is still not active. The request appears to need additional approval.

Cause: Custom permission set requests require two-level approval. After the account owner approves, an SSO Admin or Admin must also approve the request before access is granted.

Solution:

  1. This is expected behavior for custom permission set requests. The workflow is:
    • Step 1: The account owner approves the request.
    • Step 2: An SSO Admin or Admin reviews and provides the final approval.
  2. If you are the requester, contact an SSO Admin or Admin in your organization and ask them to review the pending request.
  3. If you are an SSO Admin or Admin, navigate to Pending Approvals in the JIT Portal to see requests that need your second-level approval.
  4. The request will only become active after both approval levels are completed.

Request Rejected Without Explanation

Problem: Your JIT access request was rejected, but you do not understand why.

Cause: The approver rejected the request. Approvers may provide a reason when rejecting, but it is not always required.

Solution:

  1. Check the request details in My Requests for any rejection comments.
  2. Contact the approver (account owner or admin) directly to understand why the request was rejected.
  3. If the rejection was due to the scope of access requested, consider submitting a new request with:
    • A shorter duration.
    • A more restrictive permission set.
    • A clearer justification in the request reason field.

Cannot See Approver Features

Problem: You cannot see the Pending Approvals, Request History, Manage Sessions, or Owned Accounts tabs in the JIT Portal.

Cause: These features are only available to users with the Approver role (level 1) or higher. Viewer role users can only request access and view their own requests.

Solution:

  1. Check your role. The Approver role is required to see approver-specific features.
  2. Contact your Prism administrator to request a role upgrade if you need approver capabilities.
  3. Contact your administrator to verify your role and available features.

Still Having Issues?

If none of the above solutions resolve your JIT request problem:

  1. Check the Permission Errors page for related access issues.
  2. Contact your organization's Prism administrator with the request ID (if available), the target account, and the error message.
  3. For platform-level issues, contact CloudKeeper support.