Okta + Steampipe
Okta is the leading independent identity provider. The Okta Identity enables organizations to securely connect the right people to the right technologies at the right time.
Steampipe is an open source CLI to instantly query cloud APIs using SQL.
For example:
select login, id, email, createdfrom okta_user;+---------------------+----------------------+---------------------+---------------------+| login | id | email | created |+---------------------+----------------------+---------------------+---------------------+| subhajit@turbot.com | 00u1e63jiqAHskqSd5d7 | subhajit@turbot.com | 2021-08-02 13:35:54 || lalit@turbot.com | 00u1e5eizrjQKTWMA5d7 | lalit@turbot.com | 2021-08-02 10:57:05 |+---------------------+----------------------+---------------------+---------------------+Documentation
Get started
Install
Download and install the latest Okta plugin:
steampipe plugin install oktaCredentials
| Item | Description |
|---|---|
| Credentials | Okta requires a domain and an API token or a service app and private key for all requests. |
| Permissions | API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions also change. Service application permissions are based on granted OAuth scopes. |
| Radius | Each connection represents a single Okta Organization. |
| Resolution | 1. With configuration provided in connection in steampipe .spc config file. 2. With okta environment variables. 3. An okta.yaml file in a .okta folder in the current user's home directory (~/.okta/okta.yaml or %userprofile.okta\okta.yaml). |
Configuration
Installing the latest okta plugin will create a config file (~/.steampipe/config/okta.spc) with a single connection named okta:
connection "okta" { plugin = "okta"
# Get your API token from Okta https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/ # domain = "https://<your_okta_domain>.okta.com" # token = "02d0YZgNSJwlNew6lZG-6qGThisisatest-token"
# Or use an Okta application and the client credentials flow for authenticating: https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/overview/ # domain = "https://<your_okta_domain>.okta.com" # client_id = "0oa10zpa2bo6tAm9Test" # private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAK..."}By default, all options are commented out in the default connection, thus Steampipe will resolve your credentials using the same order as mentioned in Credentials. This provides a quick way to get started with Steampipe, but you will probably want to customize your experience using configuration options for querying multiple organizations, configuring credentials from your okta configuration files, environment variables, etc.
If using the Okta service application, the following scopes must be enabled for Steampipe to be able to access the Okta APIs:
- okta.users.read
- okta.groups.read
- okta.apps.read
- okta.roles.read
- okta.policies.read
- okta.authorizationServers.read
- okta.trustedOrigins.read
- okta.factors.read
Note: Table okta_user_type and okta_network_zone doesn't work in Service App authentication mode.
Get involved
- Open source: https://github.com/turbot/steampipe-plugin-okta
- Community: Slack Channel
Configuring Okta Credentials
Credentials from Environment Variables
The Okta plugin will use the standard Okta environment variables to obtain credentials only if other arguments (domain, token, client_id, private_key) are not specified in the connection:
API Token
export OKTA_CLIENT_ORGURL=https://<your_okta_domain>.okta.comexport OKTA_CLIENT_TOKEN=02d0YZgNSJwlNew6lZG-6qGThisisatest-tokenService App
export OKTA_CLIENT_ORGURL=https://<your_okta_domain>.okta.comexport OKTA_CLIENT_CLIENTID=0oa10zpa2bo6tAm9Testexport OKTA_CLIENT_PRIVATEKEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAK..."