CLI command for workload authentication

Use the Okta Privileged Access client CLI for autonomous, non-interactive operations. Workloads authenticate and retrieve a temporary access token by running the sft workload authenticate command (aliased as sft wl auth), which is essential for automation scripts and CI/CD pipelines that can't rely on human intervention.

Before you begin

• You have DevOps admin privileges.

• You have an identity token from your workload provider and it's set as the --jwt=env name.

Example usage for workload automation

Since sft workload authentication is non-interactive, you can export its token as an environment variable (OPA_TOKEN) for use in scripts.

1. Set OPA_ADDR and SFT_TEAM in an environment variable.

   
                     export OPA_ADDR=<URL>
                     export SFT_TEAM=<my-team>
                  

2. Run the following command to configure your SSH settings for workload authentication.

   sft ssh-config >> ~/.ssh/config

   After completing this step, native SSH and SCP commands will automatically route through the SFT proxy without requiring the sft ssh wrapper. For example, scp <local-file> <hostname>:/remote/path.

3. Run the following command to get the OPA_TOKEN.

   OPA_TOKEN=$(sft wl authenticate \
   --team <my-team> \
   --connection <workload-connection-name> \
   --jwt-env <my-jwtnnnenv> \
   --role-hint <workload-role-name>)		

4. Execute the following command to test the configuration.

   sft ssh myhost --command "echo hello"

Related topics

Set up workloads

Use the Okta Privileged Access client