Requesting Access with CLI
How to request access using Apono for developers
Overview
If your organization is using Apono, access to cloud resources in development, CI/CD, data repositories, cloud infrastructure and more is managed centrally.
With Apono' CLI, developers can schedule requests for access that is needed daily or weekly simply by rerunning the same command. s
Prerequisites
- Apono account
- Membership in one or more groups having Access Flows to manage resources (an Apono admin account is not required)
Install the CLI
- Go to the Apono CLI GitHub repository.
- Follow the installation instructions for MacOS/Linux or Windows.
- Run
apono
to see all available commands (or with the -h, --help flags).
Set Up Auto-Complete
Auto-completion recognizes the tab tab
key combination to complete typing commands and flags. Follow these instructions to set it up for your shell/terminal:
- Run
apono completion [shell]
where [shell] is one of:- bash
- fish
- powershell
- A script for your shell type is generated and displayed.
- Copy the script and paste it into a text editor.
- On MacOS/Linux, save the file as .sh and make it executable. On Windows, save the file as .exe.
- Run the script to enable auto-completion.
- You can then use the tab key to see get auto-complete suggestions for commands and flags with the CLI
If you encounter
Error: profile not exists
error, you are not logged in. Run the commandapono login
and log in through your browser
For zsh
- Echo "autoload -U compinit; compinit" >> ~/.zshrc
- Open a new terminal and run the following -
source <(apono completion zsh); compdef _apono apono
- This command should run every new session
Log In
Log in to your Apono account before you can run any other commands.
- Run
apono login
- A browser tab will open.
- Follow the directions to log into your Apono account.
- Close the browser tab once you see the message confirming that you have successfully logged in.
Get Information
- With each command, all of its flags are required
- flags can be written in their abbreviated form with a single hyphen (e.g. "-i") or in their long form with a double hyphen (e.g. "--integration").
Command | Flags | Function |
---|---|---|
apono integrations | (none) | Lists ID, type and name of all available integrations |
apono resource-types | -i integration-id | Lists ID and name of all resource types in an integration |
apono resources | -i integration -t, resource-type-id | Lists ID and name of all resources for an integration and its resource type. (note: the resource-type-id is the id returned by apono resource-types ) |
apono permissions | -i integration-id, -t resource-type-id | Lists the type of permissions available for a resource in an integration |
Request Access
Command | Flags | What is does |
---|---|---|
apono request | -i integration-id -t resource-type-id -r resource-id -p permission -j "text" | Creates a new access request. Provide one integration-id and one resource-type, but more than one resource-id and permissions is allowed Upon successful creation, a request summary is returned: Request ID Status Integration Resources Permissions Justification |
apono requests | (none) | Displays the status of all existing access requests With multiple components as above, response is organized as follows:The user will get: request ID integration --resource1, status1 permissions1 --resource2, status2, permissions2 justification |
apono access-details | access-request-id (a parameter, not a flag. Use the friendly ID) | Displays instructions for accessing the resource once permission granted. For security purposes, we recommend closing the terminal once the login details have been copied |
Example: Request Access to an AWS S3 Bucket
This example illustrates the sequence of commands to obtain all the necessary information about an integration to be able to request access according to the defined access flows.
apono integrations
returns:
ID | TYPE | Name |
---|---|---|
85a8f7b4-ee5b-48d1-ae59 | aws-account | davej-s32 |
apono resource-types
-i 85a8f7b4-ee5b-48d1-ae59
returns:
ID | NAME |
---|---|
aws-account-s3-bucket | aws-account-s3-bucket |
apono resources
-i 85a8f7b4-ee5b-48d1-ae59 -t aws-account-s3-bucket
returns:
ID | NAME |
---|---|
arn:aws:s3:::davej-s3 | davej-23 |
apono permissions
-i 85a8f7b4-ee5b-48d1-ae59 -t aws-account-s3-bucket
returns:
ID | Name |
---|---|
READ_WRITE | READ_WRITE |
apono request
-i 85a8f7b4-ee5b-48d1-ae59
-r arn:aws:s3:::davej-s3
-p READ_WRITE
-t aws-account-s3-bucket
-j "fix-J-1504"
returns:
ID: AR-00012
Status: Pending
Integration: davej-s32
Resources: arn:aws:s3:::davej-s3
Permissions: READ_WRITE
Justification: fix J 1504
- Follow the status of your access requests with
apono requests
. Once the status of a request has changed to Granted, get the instructions on accessing the resource withapono access-details [request-ID]
which for our example returns:
You can open AWS Console with following command: bash <(curl -s https://apono-public.s3.amazonaws.com/scripts/open_aws_console.sh)
For security purposes, we recommend closing the terminal once the login details have been copied.
Use Aliases to Save Access Requests
To save time, you can give access requests that are needed frequently as an alias. Simply run (on Windows or Mac/Linux):
alias ALIAS_NAME="[cli-access-request]"
Access Status Messages
- Pending: waiting for the approver(s) to approve or reject
- Granting: the request is approved and Apono is provisioning the access
- Granted: you have successfully been given access. Check the Access Details to learn about logging in.
- Expired: Your access time is up and access is revoked.
- Rejected: the request was automatically rejected or rejected by approvers
- Failed: An error has occurred. Contact your admin.
Limitations
This version does not support:
- Approving access requests with CLI. We recommend creating Access Flows for CLI with automatic approval. Otherwise, approvers will get approve/reject messages via your connected ChatOps tool (Slack or Teams)
- Reseting credentials
- Revoking access
- Requesting bundles
Results
The CLI supports making access requests for any resource integrated with Apono.
Next Steps
Access requests can now be made without a UI.
References
The CLI functions similarly to the ChatOps integrations with Slack and Teams.
Slack - Requesting, Viewing or Approving access
Troubleshooting
This is the first version of the Apono CLI. Commands may be added or changed in the future so be sure to chck this documentation regularly.
Refer to Troubleshooting Errors for information about errors that may occur.
Updated 13 days ago