Requesting Access with CLI

How to request access using Apono for developers

Overview

If your organization is using Apono, access to cloud resources in development, CI/CD, data repositories, cloud infrastructure and more is managed centrally.

With Apono' CLI, developers can schedule requests for access that is needed daily or weekly simply by rerunning the same command. s

Prerequisites

  • Apono account
  • Membership in one or more groups having Access Flows to manage resources (an Apono admin account is not required)

Install the CLI

  1. Go to the Apono CLI GitHub repository.
  2. Follow the installation instructions for MacOS/Linux or Windows.
  3. Run apono to see all available commands (or with the -h, --help flags).

Set Up Auto-Complete

Auto-completion recognizes the tab tab key combination to complete typing commands and flags. Follow these instructions to set it up for your shell/terminal:

  1. Run apono completion [shell]where [shell] is one of:
    1. bash
    2. fish
    3. powershell
  2. A script for your shell type is generated and displayed.
  3. Copy the script and paste it into a text editor.
  4. On MacOS/Linux, save the file as .sh and make it executable. On Windows, save the file as .exe.
  5. Run the script to enable auto-completion.
  6. You can then use the tab key to see get auto-complete suggestions for commands and flags with the CLI

❗️

If you encounter Error: profile not exists error, you are not logged in. Run the command apono login and log in through your browser

For zsh

  1. Echo "autoload -U compinit; compinit" >> ~/.zshrc
  2. Open a new terminal and run the following - source <(apono completion zsh); compdef _apono apono
  3. This command should run every new session

Log In

Log in to your Apono account before you can run any other commands.

  1. Run apono login
  2. A browser tab will open.
  3. Follow the directions to log into your Apono account.
  4. Close the browser tab once you see the message confirming that you have successfully logged in.

Get Information

  • With each command, all of its flags are required
  • flags can be written in their abbreviated form with a single hyphen (e.g. "-i") or in their long form with a double hyphen (e.g. "--integration").
CommandFlagsFunction
apono integrations(none)Lists ID, type and name of all available integrations
apono resource-types-i integration-idLists ID and name of all resource types in an integration
apono resources-i integration -t, resource-type-idLists ID and name of all resources for an integration and its resource type. (note: the resource-type-id is the id returned by apono resource-types)
apono permissions-i integration-id, -t resource-type-idLists the type of permissions available for a resource in an integration

Request Access

CommandFlagsWhat is does
apono request-i integration-id -t resource-type-id -r resource-id -p permission -j "text"Creates a new access request.

Provide one integration-id and one resource-type, but more than one resource-id and permissions is allowed

Upon successful creation, a request summary is returned:
Request ID
Status
Integration
Resources
Permissions
Justification
apono requests(none)Displays the status of all existing access requests

With multiple components as above, response is organized as follows:The user will get:
request ID
integration
--resource1, status1 permissions1
--resource2, status2, permissions2
justification
apono access-details access-request-id
(a parameter, not a flag. Use the friendly ID)
Displays instructions for accessing the resource once permission granted.

For security purposes, we recommend closing the terminal once the login details have been copied

Example: Request Access to an AWS S3 Bucket

This example illustrates the sequence of commands to obtain all the necessary information about an integration to be able to request access according to the defined access flows.

  1. apono integrations

returns:

IDTYPEName
85a8f7b4-ee5b-48d1-ae59aws-accountdavej-s32
  1. apono resource-types -i 85a8f7b4-ee5b-48d1-ae59

returns:

IDNAME
aws-account-s3-bucketaws-account-s3-bucket
  1. apono resources -i 85a8f7b4-ee5b-48d1-ae59 -t aws-account-s3-bucket

returns:

IDNAME
arn:aws:s3:::davej-s3davej-23
  1. apono permissions -i 85a8f7b4-ee5b-48d1-ae59 -t aws-account-s3-bucket

returns:

IDName
READ_WRITEREAD_WRITE
  1. apono request
    -i 85a8f7b4-ee5b-48d1-ae59
    -r arn:aws:s3:::davej-s3
    -p READ_WRITE
    -t aws-account-s3-bucket
    -j "fix-J-1504"

returns:

ID: AR-00012
Status: Pending
Integration: davej-s32
Resources: arn:aws:s3:::davej-s3
Permissions: READ_WRITE
Justification: fix J 1504

  1. Follow the status of your access requests with apono requests. Once the status of a request has changed to Granted, get the instructions on accessing the resource with apono access-details [request-ID] which for our example returns:
You can run aws-cli commands with "--profile apono" aws sts get-caller-identity --profile apono

You can open AWS Console with following command: bash <(curl -s https://apono-public.s3.amazonaws.com/scripts/open_aws_console.sh)

For security purposes, we recommend closing the terminal once the login details have been copied.

Use Aliases to Save Access Requests

To save time, you can give access requests that are needed frequently as an alias. Simply run (on Windows or Mac/Linux):

alias ALIAS_NAME="[cli-access-request]"

Access Status Messages

  • Pending: waiting for the approver(s) to approve or reject
  • Granting: the request is approved and Apono is provisioning the access
  • Granted: you have successfully been given access. Check the Access Details to learn about logging in.
  • Expired: Your access time is up and access is revoked.
  • Rejected: the request was automatically rejected or rejected by approvers
  • Failed: An error has occurred. Contact your admin.

Limitations

This version does not support:

  • Approving access requests with CLI. We recommend creating Access Flows for CLI with automatic approval. Otherwise, approvers will get approve/reject messages via your connected ChatOps tool (Slack or Teams)
  • Reseting credentials
  • Revoking access
  • Requesting bundles

Results

The CLI supports making access requests for any resource integrated with Apono.

Next Steps

Access requests can now be made without a UI.

References

The CLI functions similarly to the ChatOps integrations with Slack and Teams.

Slack - Requesting, Viewing or Approving access

Troubleshooting

This is the first version of the Apono CLI. Commands may be added or changed in the future so be sure to chck this documentation regularly.

Refer to Troubleshooting Errors for information about errors that may occur.