docs/platform/infrastructure/jit-access.md
Just-in-time (JIT) access lets Encore Cloud request the permissions it needs for a deploy only when they're needed, for a limited time, instead of holding standing access to your cloud resources. When a deploy starts, Encore Cloud requests a temporary privilege grant, uses it to apply the change, and the grant automatically expires afterwards.
This minimizes the blast radius of long-lived credentials and gives you a full audit trail of every privileged action: what was requested, why, and for how long.
<Callout type="info">Just-in-time access is an Enterprise feature. Contact us to enable it for your organization.
</Callout>| Cloud | Status |
|---|---|
| GCP | Available, powered by GCP Privileged Access Manager (PAM). |
| AWS | In active development — reach out if you're interested. |
On GCP, just-in-time access is powered by Google Cloud Privileged Access Manager (PAM). Instead of granting Encore Cloud's deploy identity permanent IAM roles, you define entitlements in GCP PAM that describe which roles can be requested and under what conditions.
During a deploy, Encore Cloud:
Because grants flow through GCP PAM, every request is recorded with its justification and duration, giving you a complete audit trail.
Just-in-time access is configured per environment in the Encore Cloud dashboard:
The section has three settings:
A deploy can involve different kinds of infrastructure changes, and you may want a different entitlement for each. You can override the entitlement on a per-phase basis:
| Phase | When it applies |
|---|---|
| Provision | Creating new infrastructure resources |
| Deploy | Rolling out new application versions |
| Delete | Removing infrastructure resources |
Any phase without an explicit override falls back to the Default entitlement. This lets you, for example, require a more privileged (or separately audited) entitlement for Delete while everything else uses a standard one.
By default, every resource in an environment uses the environment-level configuration. When you need finer control — for example, a specific GCP project that requires a different entitlement — you can add a resource override.
Resource overrides accept the same entitlement settings as the environment default, including per-phase overrides. The grant duration is always inherited from the environment default and cannot be overridden per resource.
Settings are merged most-specific-first, so a more specific layer always wins:
Resource (project) override ➜ Environment default ➜ App default
For a given deploy phase, Encore Cloud resolves the entitlement by checking the resource override first, then the environment default, then the app-level default.
Just-in-time access for AWS is in active development.
If you're running on AWS and want time-bound deploy permissions, reach out — we'd love to hear about your use case and can let you know when AWS support is available.