Okta + Steampipe
Okta is the leading independent identity provider. The Okta Identity enables organizations to securely connect the right people to the right technologies at the right time.
Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.
For example:
select login, id, email, createdfrom okta_user;+---------------------+----------------------+---------------------+---------------------+| login | id | email | created |+---------------------+----------------------+---------------------+---------------------+| subhajit@turbot.com | 00u1e63jiqAHskqSd5d7 | subhajit@turbot.com | 2021-08-02 13:35:54 || lalit@turbot.com | 00u1e5eizrjQKTWMA5d7 | lalit@turbot.com | 2021-08-02 10:57:05 |+---------------------+----------------------+---------------------+---------------------+Documentation
Get started
Install
Download and install the latest Okta plugin:
steampipe plugin install oktaCredentials
| Item | Description |
|---|---|
| Credentials | Okta requires a domain and an API token or a service app and private key for all requests. |
| Permissions | API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions also change. Service application permissions are based on granted OAuth scopes. |
| Radius | Each connection represents a single Okta Organization. |
| Resolution | 1. With configuration provided in connection in steampipe .spc config file. 2. With okta environment variables. 3. An okta.yaml file in a .okta folder in the current user's home directory (~/.okta/okta.yaml or %userprofile.okta\okta.yaml). |
Configuration
Installing the latest okta plugin will create a config file (~/.steampipe/config/okta.spc) with a single connection named okta:
connection "okta" { plugin = "okta"
# Get your API token from Okta https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/ # domain = "https://<your_okta_domain>.okta.com" # token = "02d0YZgNSJwlNew6lZG-6qGThisisatest-token"
# Or use an Okta application and the client credentials flow for authenticating: https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/overview/ # domain = "https://<your_okta_domain>.okta.com" # client_id = "0oa10zpa2bo6tAm9Test" # private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAK..."}By default, all options are commented out in the default connection, thus Steampipe will resolve your credentials using the same order as mentioned in Credentials. This provides a quick way to get started with Steampipe, but you will probably want to customize your experience using configuration options for querying multiple organizations, configuring credentials from your okta configuration files, environment variables, etc.
If using the Okta service application, the following scopes must be enabled for Steampipe to be able to access the Okta APIs:
- okta.users.read
- okta.groups.read
- okta.apps.read
- okta.roles.read
- okta.policies.read
- okta.authorizationServers.read
- okta.trustedOrigins.read
- okta.factors.read
Note: Table okta_user_type and okta_network_zone doesn't work in Service App authentication mode.
Configuring Okta Credentials
Credentials from Environment Variables
The Okta plugin will use the standard Okta environment variables to obtain credentials only if other arguments (domain, token, client_id, private_key) are not specified in the connection:
API Token
export OKTA_CLIENT_ORGURL=https://<your_okta_domain>.okta.comexport OKTA_CLIENT_TOKEN=02d0YZgNSJwlNew6lZG-6qGThisisatest-tokenService App
export OKTA_CLIENT_ORGURL=https://<your_okta_domain>.okta.comexport OKTA_CLIENT_CLIENTID=0oa10zpa2bo6tAm9Testexport OKTA_CLIENT_PRIVATEKEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAK..."Postgres FDW
This plugin is available as a native Postgres FDW. Unlike Steampipe CLI, which ships with an embedded Postgres server instance, the Postgres FDW can be installed in any supported Postgres database version.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_postgres_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/postgres.sh)" -- oktaThe installer will prompt you for the plugin name and version, download and install the appropriate files for your OS, system architecture, and Postgres version.
To configure the Postgres FDW, you will create an extension, foreign server, and schema and import the foreign schema.
CREATE EXTENSION IF NOT EXISTS steampipe_postgres_okta;CREATE SERVER steampipe_okta FOREIGN DATA WRAPPER steampipe_postgres_okta OPTIONS (config '<your_config>');CREATE SCHEMA okta;IMPORT FOREIGN SCHEMA okta FROM SERVER steampipe_okta INTO okta;SQLite Extension
This plugin is available as a SQLite Extension, making the tables available as SQLite virtual tables.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_sqlite_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/sqlite.sh)" -- oktaThe installer will prompt you for the plugin name, version, and destination directory. It will then determine the OS and system architecture, and it will download and install the appropriate package.
To configure the SQLite extension, load the extension module and then run the steampipe_configure_okta function to configure it with plugin-specific options.
$ sqlite3sqlite> .load ./steampipe_sqlite_extension_okta.sosqlite> select steampipe_configure_okta('<your_config>');Export
This plugin is available as a standalone Export CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- oktaYou can pass the configuration to the command with the --config argument:
steampipe_export_okta --config '<your_config>' <table_name>