Skip to main content

wf assume

wf assume

Escalates your privileges for a short-lived time


By default users are not assigned long-lived permissions to clusters. Instead they can assume permissions by requesting access to a role (set of permissions) against a cluster or namespace.

Assuming they meet the constraints defined in the access policies, their permissions will be elevated for a period of time.

Use wf kubeconfig after assuming to get access for kubectl or other Kubernetes-config compatible tools such as Helm.

Use wf access cluster|namespace|appenv as a shortcut for wf assume plus wf kubeconfig.

wf assume [flags]


# Assume namespace admin in a cluster
$ wf assume namespace.admin

# You skip the prompts by supplying the known parameters
$ wf assume namespace.admin --cluster <name> --namespace <namespace>

# Policies that target clusters can take a second or so for the policy
# to propagate - the default behaviour is to always wait. This can be changed with
$ wf assume --no-wait

# Will wait for 30 seconds for the access to be granted.
$ wf assume --timeout 30s


      --cluster string     Cluster name you wish to assume
--dry-run Shows the resource but does not apply or create
--expire duration Expiration of the role assumption. If provided, implies --force-new. Defaults to 1hr if not provided.
--force-new Forces creation of a new role assumption even if an existing session is active and still valid. Automatically set if an explicit --expire is provided.
-h, --help help for assume
--namespace string Namespace you wish to assume into
--timeout duration Timeout for access to be granted. Defaults to 20s if not provided. (default 30s)

Options inherited from parent commands

      --debug              Debug / trace logging (default: false)
--force Force operation to happen (default: false)
--no-wait Do not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your current - to change current: wf use profile NAME
--show-headers Display headers on table out (default true)
--verbose Verbose logging (default: false)
-w, --workspace string Workspace to use


  • wf - CLI interface for Wayfinder