steampipe plugin install okta

Okta + Steampipe

Okta is the leading independent identity provider. The Okta Identity enables organizations to securely connect the right people to the right technologies at the right time.

Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.

For example:

| login | id | email | created |
| | 00u1e63jiqAHskqSd5d7 | | 2021-08-02 13:35:54 |
| | 00u1e5eizrjQKTWMA5d7 | | 2021-08-02 10:57:05 |


Get started


Download and install the latest Okta plugin:

steampipe plugin install okta


CredentialsOkta requires a domain and an API token or a service app and private key for all requests.
PermissionsAPI tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions also change. Service application permissions are based on granted OAuth scopes.
RadiusEach connection represents a single Okta Organization.
Resolution1. With configuration provided in connection in steampipe .spc config file.
2. With okta environment variables.
3. An okta.yaml file in a .okta folder in the current user's home directory (~/.okta/okta.yaml or %userprofile.okta\okta.yaml).


Installing the latest okta plugin will create a config file (~/.steampipe/config/okta.spc) with a single connection named okta:

connection "okta" {
plugin = "okta"
# Get your API token from Okta
# domain = "https://<your_okta_domain>"
# token = "02d0YZgNSJwlNew6lZG-6qGThisisatest-token"
# Or use an Okta application and the client credentials flow for authenticating:
# domain = "https://<your_okta_domain>"
# client_id = "0oa10zpa2bo6tAm9Test"
# private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAK..."

By default, all options are commented out in the default connection, thus Steampipe will resolve your credentials using the same order as mentioned in Credentials. This provides a quick way to get started with Steampipe, but you will probably want to customize your experience using configuration options for querying multiple organizations, configuring credentials from your okta configuration files, environment variables, etc.

If using the Okta service application, the following scopes must be enabled for Steampipe to be able to access the Okta APIs:


Note: Table okta_user_type and okta_network_zone doesn't work in Service App authentication mode.

Configuring Okta Credentials

Credentials from Environment Variables

The Okta plugin will use the standard Okta environment variables to obtain credentials only if other arguments (domain, token, client_id, private_key) are not specified in the connection:

API Token

export OKTA_CLIENT_ORGURL=https://<your_okta_domain>
export OKTA_CLIENT_TOKEN=02d0YZgNSJwlNew6lZG-6qGThisisatest-token

Service App

export OKTA_CLIENT_ORGURL=https://<your_okta_domain>
export OKTA_CLIENT_CLIENTID=0oa10zpa2bo6tAm9Test

Postgres FDW

This plugin is available as a native Postgres FDW. Unlike Steampipe CLI, which ships with an embedded Postgres server instance, the Postgres FDW can be installed in any supported Postgres database version.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the script:

/bin/sh -c "$(curl -fsSL" -- okta

The installer will prompt you for the plugin name and version, download and install the appropriate files for your OS, system architecture, and Postgres version.

To configure the Postgres FDW, you will create an extension, foreign server, and schema and import the foreign schema.

CREATE EXTENSION IF NOT EXISTS steampipe_postgres_okta;
CREATE SERVER steampipe_okta FOREIGN DATA WRAPPER steampipe_postgres_okta OPTIONS (config '<your_config>');

SQLite Extension

This plugin is available as a SQLite Extension, making the tables available as SQLite virtual tables.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the script:

/bin/sh -c "$(curl -fsSL" -- okta

The installer will prompt you for the plugin name, version, and destination directory. It will then determine the OS and system architecture, and it will download and install the appropriate package.

To configure the SQLite extension, load the extension module and then run the steampipe_configure_okta function to configure it with plugin-specific options.

$ sqlite3
sqlite> .load ./
sqlite> select steampipe_configure_okta('<your_config>');


This plugin is available as a standalone Export CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the script:

/bin/sh -c "$(curl -fsSL" -- okta

You can pass the configuration to the command with the --config argument:

steampipe_export_okta --config '<your_config>' <table_name>