A contractor joins your team for a 3-week sprint. You create an IAM user, attach a policy that looks reasonable, and assign them a Reader role on the Azure subscription. The sprint ends. Nobody touches the permissions again.

Three months later that IAM user still has the policy. The Azure role is still there. No expiry, no audit trail, no process. Multiply that by ten contractors a year and you stop knowing who has access to what — and why.

Provisioning takes two minutes. Cleaning up requires someone to remember, and that almost never happens reliably at scale.

AWS TEAM solves half the problem

AWS has an open-source solution for this called TEAM. A dev requests elevated access, a manager approves, credentials expire automatically. It works great — for AWS.

The hard limit: TEAM runs on top of IAM Identity Center. The moment a contractor needs access to Azure too, you're back to manual cleanup or another dedicated tool. What you actually want is one place that handles the full lifecycle across both clouds.

What we're building

A self-service access portal using Kestra — a YAML-first workflow orchestrator built for infrastructure automation. One YAML file. Slack approval. Auto-revocation.

The flow:

1. A contractor (or whoever's authorized) runs /request-access john.doe 60 fix prod bug in Slack
2. The approver gets a private DM with Approve/Deny buttons — no Kestra login needed
3. On approve, Kestra attaches an S3 read policy on AWS and assigns a Storage Blob Data Reader role on Azure
4. After the requested duration, Kestra removes both — automatically

The whole thing runs on a single EC2 instance with Docker Compose. Kestra plus PostgreSQL, two containers, behind an ALB. t3.medium is enough to start.

The Pause primitive is the magic

The interesting part isn't the access management. It's that Kestra has a Pause task that waits for a human, with a configurable timeout, that you can resume via API from anywhere — Slack, Teams, a web form, whatever.

Same primitive works for production deployment approvals, database password rotations, cost threshold alerts with a "pause the pipeline" button. You write the logic in YAML and Kestra handles the waiting, retrying, logging, and cleanup.

Audit logs you didn't have to set up

Every execution stores who requested access, who approved it, what each task returned, and when each step happened. CloudTrail tells you the API call happened. Kestra tells you why.

The blog post walks through the full setup: Terraform for AWS + Azure + Kestra, the Slack bot, the YAML flow, the revocation logic, and the things to watch out for in production (RDS instead of the sidecar Postgres, S3 storage backend, capping the max duration).

🚀 Read the Full Tutorial →