<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008KCt00CADOkta Classic EngineAPI Access ManagementAnswered2024-04-13T03:49:27.000Z2022-11-04T17:31:20.000Z2022-11-07T14:20:34.000Z

KitL.19791 (Customer) asked a question.

November 4, 2022 at 5:31 PM
API Token Creator Account with Minimal Permissions

I'm attempting to limit, to the greatest degree possible, the permissions of a service account that will be creating API tokens. The goal is to let this service account create all tokens that need to read Okta's log history, with as few additional permissions to anything else as possible.

 

The closest I've come to my goal is to create a Group Admin account, and granting it access to an otherwise empty and unused Okta Group. This provides access to API Tokens and the log.

 

What's the best practice for a situation like this?

  • 1 answer
  • 561 views

  • 953nz (953nz)

    Kit,

     

    Okta states the following in regards to your question, "Tokens are valid only if the user who created them is active. Tokens issued by deactivated users are rejected. To avoid service interruptions, Okta recommends generating API tokens using a service account that won’t be deactivated and with Super Admin permissions that won’t change."

     

    Second, please note the following as well, "Tokens are valid only if the user who created them is active. Tokens issued by deactivated users are rejected. To avoid service interruptions, Okta recommends generating API tokens using a service account that won’t be deactivated and with Super Admin permissions that won’t change."

     

    Next, note that creating a service account for the generation of API tokens is best practice. Creating these tokens with individual admins can be dangerous if they are to leave and their accounts be deactivated. You can create a read-only administrator to create these admin tokens, yes.

     

    Please see here for a statement that speaks to that, "Read-only admins have view access to most data in the Admin Console. Like report admins, read-only admins are unable to edit data. The only settings that read-only admins can change are their own notifications and API token settings."

     

    Please see below for some docs that speak to all of the above:

     

    Read-Only Administrators

    How to Manage access level for API Tokens created in Okta

    How do I create an API token?

     

    Ultimately, the recommendation is to create the API token with a Read-Only service account and then protect both the API token key and the password to the service account appropriately, assuming all you want the token and the admin account to be able to do is read-only. LastPass is a good example for a platform where that service account password can be stored for you or your team's use.

     

    Thanks!

    Expand Post
    Selected as Best

  • 953nz (953nz)

    Kit,

     

    Okta states the following in regards to your question, "Tokens are valid only if the user who created them is active. Tokens issued by deactivated users are rejected. To avoid service interruptions, Okta recommends generating API tokens using a service account that won’t be deactivated and with Super Admin permissions that won’t change."

     

    Second, please note the following as well, "Tokens are valid only if the user who created them is active. Tokens issued by deactivated users are rejected. To avoid service interruptions, Okta recommends generating API tokens using a service account that won’t be deactivated and with Super Admin permissions that won’t change."

     

    Next, note that creating a service account for the generation of API tokens is best practice. Creating these tokens with individual admins can be dangerous if they are to leave and their accounts be deactivated. You can create a read-only administrator to create these admin tokens, yes.

     

    Please see here for a statement that speaks to that, "Read-only admins have view access to most data in the Admin Console. Like report admins, read-only admins are unable to edit data. The only settings that read-only admins can change are their own notifications and API token settings."

     

    Please see below for some docs that speak to all of the above:

     

    Read-Only Administrators

    How to Manage access level for API Tokens created in Okta

    How do I create an API token?

     

    Ultimately, the recommendation is to create the API token with a Read-Only service account and then protect both the API token key and the password to the service account appropriately, assuming all you want the token and the admin account to be able to do is read-only. LastPass is a good example for a platform where that service account password can be stored for you or your team's use.

     

    Thanks!

    Expand Post
    Selected as Best
This question is closed.
Loading
API Token Creator Account with Minimal Permissions