Overview
Use the Okta integration after the shared GCP setup to ingest the Okta tenant resources you want Asymptote to track. The current Okta integration syncsUsers, Groups, Apps, and Policies through a public Event Hook ingress, an internal Pub/Sub-backed ingest function, and an initial backfill job.
Before you start
- Run the shared GCP setup first with
./cloud-providers/gcp/scripts/init.sh. - Install Terraform
>= 1.9,gcloud,jq,openssl, andpython3. - Make sure you have access to the Okta tenant you want to ingest.
- Create or obtain an Okta Management API token for that tenant.
- If you have more than one generated GCP install under
generated/gcp/, decide whichinstall-state.jsonyou want to use and pass it with--install-state PATH. - Use a GCP identity that can create Okta integration resources and deploy the Okta workloads.
Fill install.yaml
The Okta installer reads cloud-providers/gcp/scripts/integrations/okta/install.yaml by default.
Okta inherits the project ID, region, and other shared values from the base install-state.json. You do not set those again here.
Fill in these fields:
okta.domain: required. Use your Okta tenant domain, with or withouthttps://.okta.api_token: required. This token is used by the installer and runtime workloads.okta.event_hook_auth: optional. Leave it blank to have the installer generate a random secret and store it in Secret Manager.okta.policy_types: optional. Leave it blank to use the installer’s curated default set, or set it explicitly if you want to control which Okta policy types are backfilled and kept updated.
policy_types blank in the actual YAML file.
Run the installer
Update `cloud-providers/gcp/scripts/integrations/okta/install.yaml`
Fill in the Okta tenant settings you want to use and set
okta.policy_types only if you want to override the installer’s default policy set.Update the integration later
If Okta is already connected and you want to rotate the API token, change the Event Hook settings, or change the set of synced policy types, update the existing Okta integration instead of rerunning the base GCP setup.Update the Okta settings
Edit
cloud-providers/gcp/scripts/integrations/okta/install.yaml and keep the full set of okta.policy_types you want synced if you are overriding the defaults, along with any updated domain, api_token, or event_hook_auth values.Troubleshooting
- If the installer cannot find the base setup you want, pass
--install-state /path/to/install-state.json. - If the installer says
okta.domain is required, fill inokta.domain. The value can include or omithttps://. - If the installer says
okta.api_token is required, fill inokta.api_token. - If you explicitly override
okta.policy_types, make sure the list contains at least one policy type. - If Event Hook creation or verification fails, confirm that the tenant domain and API token are correct and rerun the installer.

