Smallstep Integration
This guide will show you how to setup an integration with Smallstep and Indent. Once complete, you can request temporary (or permanent) access to manage certs for SSH access and other things on the Smallstep platform.
Through API magic, Indent securely grants access to just about any service. Smallstep is a good integration if you want to reduce the number of accounts with standing access to a sensitive resources like production servers.
What can I do with Smallstep + Indent?
- Use SSH certificates instead of public keys without mapping users to hosts in an identity provider
- Manage time-bound SSH access right from Slack
- Get your on-call team access without the wait through auto approvals
Smallstep is one of a few SSH and secure access integrations on Indent. If you'd like us to add another integration, send us a request.
Components
- Okta
- Smallstep
- Google Groups + Indent Integration
- A Google Cloud Platform (GCP) project in your G-Suite org
- Smallstep
- Okta Groups + Indent Integration
Installation
This guide uses an identity provider (like Google or Okta) to connect with Smallstep. Indent grants temporary (or permanent) access to those groups, and automatically collects the evidence your org needs for audits and compliance.
A GitHub Actions and Terraform repo will be used to deploy an integration for Okta + Indent or Google + Indent. This Indent integration along with Smallstep will then grant access to cert-based SSH for anyone who's part of a related Okta Group or Google service account. S3 will be used to store Terraform state, and AWS Lambda will run the webhook.
1. Setup your Identity Provider
- Okta
- Open the Google Groups + Indent docs
- Follow the Configuration instructions
- Test your integration with the Using Indent + Google Groups instructions
- Open the Indent + Okta docs
- Follow the Configuration instructions
- Test your integration with the Using Indent + Okta Groups instructions
2. Follow the Smallstep Quickstart
- Okta
- Follow the Smallstep G-suite quickstart guide
- Follow the Smallstep Okta quickstart guide
3. Assign Groups
- Okta
- Use Indent to request access to the Smallstep SSH account that you setup as part of the Smallstep quickstart
- Use Indent to request access to one of the groups you configured as part of the Go to the Assignments tab step in the Smallstep quickstart
Interactive Demo
In the following example, you're logged in as Fouad and can request access to an Okta Group. In real usage, you would want an Okta Group linked with a Smallstep SSH account. Requesting access to the Okta Group through Indent gives you the ability to grant secure, on-demand, and auto-expiring access sensitive secrets. Indent can also be used for new employees to self-serve requests for permanent access during onboarding.
Try submitting and approving a request:
Summary
Congrats! You added the Smallstep + Indent integration. Your teams and individuals can both securely request access to cert-based SSH. Indent will automatically record an audit log, and auto-expire access after a time period of your choosing.
Next, check out the Integrations page page for other services your teams want to request. If we're missing something from your stack, you can request a new integration. You might be ready to start inviting others in your org to try Indent. If that's the case, you'll want to send them docs on how to make a request. You and anyone approving requests should read more about approving and declining requests.
Questions
Why can't I see my Groups in Indent?
You might need to sync Okta Groups or Google Workspaces with Indent. Try visiting the Resources section in your Indent dashboard, and clicking Pull Updates.
Can Indent manage the integration for me?
Sure! We can host the integration on an single-tenant AWS account. That's a popular way to do an initial setup while your teams test out Indent. To start that process, contact Indent Support
How do I ask for help?
If you have questions or need help with your integration, try chatting with Indent Support.