Skip to main content

Overview

Use the Okta integration after the shared GCP setup to ingest the Okta tenant resources you want Asymptote to track. The current Okta integration syncs Users, Groups, Apps, and Policies through a public Event Hook ingress, an internal Pub/Sub-backed ingest function, and an initial backfill job.

Before you start

  • Run the shared GCP setup first with ./cloud-providers/gcp/scripts/init.sh.
  • Install Terraform >= 1.9, gcloud, jq, openssl, and python3.
  • Make sure you have access to the Okta tenant you want to ingest.
  • Create or obtain an Okta Management API token for that tenant.
  • If you have more than one generated GCP install under generated/gcp/, decide which install-state.json you want to use and pass it with --install-state PATH.
  • Use a GCP identity that can create Okta integration resources and deploy the Okta workloads.

Fill install.yaml

The Okta installer reads cloud-providers/gcp/scripts/integrations/okta/install.yaml by default. Okta inherits the project ID, region, and other shared values from the base install-state.json. You do not set those again here. Fill in these fields:
  • okta.domain: required. Use your Okta tenant domain, with or without https://.
  • okta.api_token: required. This token is used by the installer and runtime workloads.
  • okta.event_hook_auth: optional. Leave it blank to have the installer generate a random secret and store it in Secret Manager.
  • okta.policy_types: optional. Leave it blank to use the installer’s curated default set, or set it explicitly if you want to control which Okta policy types are backfilled and kept updated.
Config shape: 
okta:
  domain: "acme.okta.com"
  api_token: "00abcExampleToken"
  event_hook_auth: ""
  policy_types:
    - "ACCESS_POLICY"
    - "OKTA_SIGN_ON"
    - "PASSWORD"
If you want the curated default policy set instead, leave policy_types blank in the actual YAML file.

Run the installer

1

Update `cloud-providers/gcp/scripts/integrations/okta/install.yaml`

Fill in the Okta tenant settings you want to use and set okta.policy_types only if you want to override the installer’s default policy set.
2

Run the script

From the repository root, run:
./cloud-providers/gcp/scripts/integrations/install-integration.sh okta
3

Approve the planned changes

Review the planned changes and approve them to continue.
If you want to use a different config file, target a specific base install, or skip confirmation prompts: 
./cloud-providers/gcp/scripts/integrations/install-integration.sh okta --config /path/to/install.yaml
./cloud-providers/gcp/scripts/integrations/install-integration.sh okta --install-state /path/to/install-state.json
./cloud-providers/gcp/scripts/integrations/install-integration.sh okta --auto-approve
When the script finishes, it prints the project ID, the Okta events function URL, the Okta ingest function URL, the Okta normalization service URL, the Okta backfill job name, and the initial backfill execution ID when available.

Update the integration later

If Okta is already connected and you want to rotate the API token, change the Event Hook settings, or change the set of synced policy types, update the existing Okta integration instead of rerunning the base GCP setup.
1

Update the Okta settings

Edit cloud-providers/gcp/scripts/integrations/okta/install.yaml and keep the full set of okta.policy_types you want synced if you are overriding the defaults, along with any updated domain, api_token, or event_hook_auth values.
2

Rerun only the Okta installer

Run:
./cloud-providers/gcp/scripts/integrations/install-integration.sh okta
If needed, pass --install-state /path/to/install-state.json to target the existing base setup you want to update.
After that rerun, the existing Okta connection stays in place and the installer updates the stored config, Event Hook, and runtime resources to match the YAML.

Troubleshooting

  • If the installer cannot find the base setup you want, pass --install-state /path/to/install-state.json.
  • If the installer says okta.domain is required, fill in okta.domain. The value can include or omit https://.
  • If the installer says okta.api_token is required, fill in okta.api_token.
  • If you explicitly override okta.policy_types, make sure the list contains at least one policy type.
  • If Event Hook creation or verification fails, confirm that the tenant domain and API token are correct and rerun the installer.