Skip to main content
Version: 1.3

wf assume

wf assume

Escalates your privileges for a short-lived time


By default users are not assigned long-lived permissions to clusters or to the Wayfinder API. Instead they can assume permissions by requesting access to a plan (set of permissions). Assuming they meet the constraints placed on acquiring the role, their permissions will be acquired for a period of time, after which the permissions roll back.

wf assume [flags]


# Assume namespace admin in a cluster
$ wf assume namespace.admin

# You skip the prompts by supplying the known parameters
$ wf assume namespace.admin --cluster <name> --namespace <namespace>

# Use the parameter flag to fill in the option
$ wf assume namespace.admin --param=cluster=<name> --param=namespace=<name>

# Policies that target clusters can take a second or so for the policy
# to propagate - the default behaviour is to always wait. This can be changed with
$ wf assume --no-wait


      --cluster string     Cluster name you wish to assume
--dry-run Shows the resource but does not apply or create
--expire duration Expiration of the role assumption (default 8h0m0s)
--explain Shows the evalution of the assumption
-h, --help help for assume
--namespace string Namespace you wish to assume into
-p, --param strings Parameter supplied to the role

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within


  • wf - wf provides a cli for Wayfinder