CLI command for workload authentication
Use the Okta Privileged Access client CLI for autonomous, non-interactive operations. Workloads authenticate and retrieve a temporary access token by running the sft workload authenticate command (aliased as sft wl auth), which is essential for automation scripts and CI/CD pipelines that can't rely on human intervention.
Before you begin
-
You have DevOps admin privileges.
-
You have an identity token from your workload provider and it's set as the --jwt=env name.
Example usage for workload automation
Since sft workload authentication is non-interactive, you can export its token as an environment variable (OPA_TOKEN) for use in scripts.
-
Set OPA_ADDR and SFT_TEAM in an environment variable.
export OPA_ADDR=<URL> export SFT_TEAM=<my-team>
-
Run the following command to configure your SSH settings for workload authentication.
sft ssh-config >> ~/.ssh/config
After completing this step, native SSH and SCP commands will automatically route through the SFT proxy without requiring the sft ssh wrapper. For example, scp <local-file> <hostname>:/remote/path.
-
Run the following command to get the OPA_TOKEN.
OPA_TOKEN=$(sft wl authenticate \ --team <my-team> \ --connection <workload-connection-name> \ --jwt-env <my-jwtnnnenv> \ --role-hint <workload-role-name>)
-
Execute the following command to test the configuration.
sft ssh myhost --command "echo hello"