Okta + Steampipe
Okta is the leading independent identity provider. The Okta Identity enables organizations to securely connect the right people to the right technologies at the right time.
Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.
For example:
select login, id, email, createdfrom okta_user;
+---------------------+----------------------+---------------------+---------------------+| login | id | email | created |+---------------------+----------------------+---------------------+---------------------+| subhajit@turbot.com | 00u1e63jiqAHskqSd5d7 | subhajit@turbot.com | 2021-08-02 13:35:54 || lalit@turbot.com | 00u1e5eizrjQKTWMA5d7 | lalit@turbot.com | 2021-08-02 10:57:05 |+---------------------+----------------------+---------------------+---------------------+
Documentation
Get started
Install
Download and install the latest Okta plugin:
steampipe plugin install okta
Credentials
Item | Description |
---|---|
Credentials | Okta requires a domain and an API token or a service app and private key for all requests. |
Permissions | API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions also change. Service application permissions are based on granted OAuth scopes. |
Radius | Each connection represents a single Okta Organization. |
Resolution | 1. With configuration provided in connection in steampipe .spc config file. 2. With okta environment variables. 3. An okta.yaml file in a .okta folder in the current user's home directory (~/.okta/okta.yaml or %userprofile.okta\okta.yaml). |
Configuration
Installing the latest okta plugin will create a config file (~/.steampipe/config/okta.spc) with a single connection named okta:
connection "okta" { plugin = "okta"
# Get your API token from Okta https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/ # Can also be set with the OKTA_CLIENT_ORGURL environment variable. # domain = "https://<your_okta_domain>.okta.com"
# Okta API token. Can also be set with the OKTA_CLIENT_TOKEN environment variable. # token = "02d0YZgNSJwlNew6lZG-6qGThisisatest-token"
# Or use an Okta application and the client credentials flow for authenticating: https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/overview/ # Can also be set with the OKTA_CLIENT_ORGURL environment variable. # domain = "https://<your_okta_domain>.okta.com"
# Okta App client id, used with PrivateKey OAuth auth mode. Can also be set with the OKTA_CLIENT_CLIENTID environment variable. # client_id = "0oa10zpa2bo6tAm9Test"
# Private key value. Can also be set with the OKTA_CLIENT_PRIVATEKEY environment variable. # private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAK..."
# The maximum number of attempts (including the initial call) Steampipe will # make for failing API calls. Can also be set with the OKTA_CLIENT_RATE_LIMIT_MAX_RETRIES environment variable. # Defaults to 5 and must be greater than or equal to 1. # max_retries = 5
# The maximum amount of time to wait on request back off. Can also be set with the OKTA_CLIENT_RATE_LIMIT_MAX_BACKOFF environment variable. # Defaults to 30 and must be greater than or equal to 1. # max_backoff = 30
# HTTP request time out in seconds. Can also be set with the OKTA_CLIENT_REQUEST_TIMEOUT environment variable. # Defaults to 30 and must be greater than or equal to 1. # request_timeout = 30}
By default, all options are commented out in the default connection, thus Steampipe will resolve your credentials using the same order as mentioned in Credentials. This provides a quick way to get started with Steampipe, but you will probably want to customize your experience using configuration options for querying multiple organizations, configuring credentials from your okta configuration files, environment variables, etc.
If using the Okta service application, the following scopes must be enabled for Steampipe to be able to access the Okta APIs:
- okta.users.read
- okta.groups.read
- okta.apps.read
- okta.roles.read
- okta.policies.read
- okta.authorizationServers.read
- okta.trustedOrigins.read
- okta.factors.read
Note: Table okta_user_type
and okta_network_zone
doesn't work in Service App authentication mode.
Configuring Okta Credentials
Credentials from Environment Variables
The Okta plugin will use the standard Okta environment variables to obtain credentials only if other arguments (domain
, token
, client_id
, private_key
) are not specified in the connection:
API Token
export OKTA_CLIENT_ORGURL=https://<your_okta_domain>.okta.comexport OKTA_CLIENT_TOKEN=02d0YZgNSJwlNew6lZG-6qGThisisatest-token
API Token with maximum number retries attempts
export OKTA_CLIENT_ORGURL=https://<your_okta_domain>.okta.comexport OKTA_CLIENT_TOKEN=02d0YZgNSJwlNew6lZG-6qGThisisatest-tokenexport OKTA_CLIENT_RATE_LIMIT_MAX_RETRIES=10export OKTA_CLIENT_RATE_LIMIT_MAX_BACKOFF=40
Service App
export OKTA_CLIENT_ORGURL=https://<your_okta_domain>.okta.comexport OKTA_CLIENT_CLIENTID=0oa10zpa2bo6tAm9Testexport OKTA_CLIENT_PRIVATEKEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAK..."
Postgres FDW
This plugin is available as a native Postgres FDW. Unlike Steampipe CLI, which ships with an embedded Postgres server instance, the Postgres FDW can be installed in any supported Postgres database version.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_postgres_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/postgres.sh)" -- okta
The installer will prompt you for the plugin name and version, download and install the appropriate files for your OS, system architecture, and Postgres version.
To configure the Postgres FDW, you will create an extension, foreign server, and schema and import the foreign schema.
CREATE EXTENSION IF NOT EXISTS steampipe_postgres_okta;CREATE SERVER steampipe_okta FOREIGN DATA WRAPPER steampipe_postgres_okta OPTIONS (config '<your_config>');CREATE SCHEMA okta;IMPORT FOREIGN SCHEMA okta FROM SERVER steampipe_okta INTO okta;
SQLite Extension
This plugin is available as a SQLite Extension, making the tables available as SQLite virtual tables.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_sqlite_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/sqlite.sh)" -- okta
The installer will prompt you for the plugin name, version, and destination directory. It will then determine the OS and system architecture, and it will download and install the appropriate package.
To configure the SQLite extension, load the extension module and then run the steampipe_configure_okta
function to configure it with plugin-specific options.
$ sqlite3sqlite> .load ./steampipe_sqlite_extension_okta.sosqlite> select steampipe_configure_okta('<your_config>');
Export
This plugin is available as a standalone Export CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- okta
You can pass the configuration to the command with the --config
argument:
steampipe_export_okta --config '<your_config>' <table_name>