Skip to main content

Smallstep Integration

This guide will show you how to setup an integration with Smallstep and Indent. Once complete, you can request temporary (or permanent) access to manage certs for SSH access and other things on the Smallstep platform.

Through API magic, Indent securely grants access to just about any service. Smallstep is a good integration if you want to reduce the number of accounts with standing access to a sensitive resources like production servers.

What can I do with Smallstep + Indent?

  • Use SSH certificates instead of public keys without mapping users to hosts in an identity provider
  • Manage time-bound SSH access right from Slack
  • Get your on-call team access without the wait through auto approvals

Smallstep is one of a few SSH and secure access integrations on Indent. If you'd like us to add another integration, send us a request.



This guide uses an identity provider (like Google or Okta) to connect with Smallstep. Indent grants temporary (or permanent) access to those groups, and automatically collects the evidence your org needs for audits and compliance.

A GitHub Actions and Terraform repo will be used to deploy an integration for Okta + Indent or Google + Indent. This Indent integration along with Smallstep will then grant access to cert-based SSH for anyone who's part of a related Okta Group or Google service account. S3 will be used to store Terraform state, and AWS Lambda will run the webhook.

1. Setup your Identity Provider

  • Open the Indent + Okta docs
  • Follow the Configuration instructions
  • Test your integration with the Using Indent + Okta Groups instructions

2. Follow the Smallstep Quickstart

3. Assign Groups

  • Use Indent to request access to one of the groups you configured as part of the Go to the Assignments tab step in the Smallstep quickstart

Interactive Demo

In the following example, you're logged in as Fouad and can request access to an Okta Group. In real usage, you would want an Okta Group linked with a Smallstep SSH account. Requesting access to the Okta Group through Indent gives you the ability to grant secure, on-demand, and auto-expiring access sensitive secrets. Indent can also be used for new employees to self-serve requests for permanent access during onboarding.

Try submitting and approving a request:


Congrats! You added the Smallstep + Indent integration. Your teams and individuals can both securely request access to cert-based SSH. Indent will automatically record an audit log, and auto-expire access after a time period of your choosing.

Next, check out the Integrations page page for other services your teams want to request. If we're missing something from your stack, you can request a new integration. You might be ready to start inviting others in your org to try Indent. If that's the case, you'll want to send them docs on how to make a request. You and anyone approving requests should read more about approving and declining requests.


Why can't I see my Groups in Indent?

You might need to sync Okta Groups or Google Workspaces with Indent. Try visiting the Resources section in your Indent dashboard, and clicking Pull Updates.

Can Indent manage the integration for me?

Sure! We can host the integration on an single-tenant AWS account. That's a popular way to do an initial setup while your teams test out Indent. To start that process, contact Indent Support

How do I ask for help?

If you have questions or need help with your integration, try chatting with Indent Support.