Skip to content

Commit 4d58cdf

Browse files
sgtojsgtoj
authored
Merge pull request #23 from cruxstack/dev
docs: add missing info on required okta roles
2 parents 333bf25 + 69c1eb9 commit 4d58cdf

File tree

1 file changed

+28
-5
lines changed

1 file changed

+28
-5
lines changed

docs/okta-setup.md

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,30 @@ On the **General** tab, find and save:
7676
These scopes allow read-only access to groups and users - no write access to
7777
Okta is required.
7878

79-
## Step 6: Identify Your Okta Domain
79+
## Step 6: Assign Admin Role
80+
81+
API Services applications require an admin role to access Okta APIs. Without
82+
this, API calls will fail with permission errors even if scopes are granted.
83+
84+
1. Go to the **Admin roles** tab for your application
85+
2. Click **Edit assignments**
86+
3. Select one of the following roles:
87+
88+
| Role | Access Level |
89+
|---------------------|-----------------------------------------------|
90+
| **Read Only Admin** | Read access to all resources (recommended) |
91+
| **Group Admin** | Full access to groups only |
92+
93+
4. If using **Group Admin**, optionally restrict to specific groups:
94+
- Under **Edit constraints for Group Administrator**, select specific
95+
groups or group types the app can access
96+
5. Click **Save changes**
97+
98+
> **Note**: Read Only Admin is recommended for sync operations since it
99+
> provides sufficient access without write permissions. Group Admin is an
100+
> alternative if you need to limit the app's scope to group resources only.
101+
102+
## Step 7: Identify Your Okta Domain
80103

81104
Your Okta domain is the URL you use to access the admin console:
82105

@@ -85,7 +108,7 @@ Your Okta domain is the URL you use to access the admin console:
85108

86109
Use the domain without `https://` prefix for `APP_OKTA_DOMAIN`.
87110

88-
## Step 7: Configure User Profile Field
111+
## Step 8: Configure User Profile Field
89112

90113
The app needs to map Okta users to GitHub usernames. Determine which Okta user
91114
profile field contains GitHub usernames:
@@ -111,7 +134,7 @@ profile field contains GitHub usernames:
111134

112135
Then set `APP_OKTA_GITHUB_USER_FIELD=githubUsername`.
113136

114-
## Step 8: Prepare Okta Groups
137+
## Step 9: Prepare Okta Groups
115138

116139
Ensure your Okta groups follow a naming convention that can be matched by sync
117140
rules:
@@ -129,7 +152,7 @@ Groups can be:
129152
- Groups synced from Active Directory
130153
- Groups from other identity providers
131154

132-
## Step 9: Configure Environment Variables
155+
## Step 10: Configure Environment Variables
133156

134157
```bash
135158
# Required Okta configuration
@@ -149,7 +172,7 @@ APP_OKTA_PRIVATE_KEY_PATH=/path/to/okta-private-key.pem
149172
APP_OKTA_PRIVATE_KEY=arn:aws:ssm:us-east-1:123456789:parameter/github-bot/okta-key
150173
```
151174

152-
## Step 10: Configure Sync Rules
175+
## Step 11: Configure Sync Rules
153176

154177
Define how Okta groups map to GitHub teams:
155178

0 commit comments

Comments
 (0)