Skip to main content

wf assume

wf assume

Escalates your privileges for a short-lived time

Synopsis

By default users are not assigned long-lived permissions to clusters. Instead they can assume permissions by requesting access to a role (set of permissions) against a cluster or namespace.

Assuming they meet the constraints defined in the access policies, their permissions will be elevated for a period of time.

Use wf kubeconfig after assuming to get access for kubectl or other Kubernetes-config compatible tools such as Helm.

Use wf access cluster|namespace|appenv as a shortcut for wf assume plus wf kubeconfig.

wf assume [flags]

Examples


# Assume namespace admin in a cluster
$ wf assume namespace.admin

# You skip the prompts by supplying the known parameters
$ wf assume namespace.admin --cluster <name> --namespace <namespace>

# Policies that target clusters can take a second or so for the policy
# to propagate - the default behaviour is to always wait. This can be changed with
$ wf assume --no-wait

# Will wait for 30 seconds for the access to be granted.
$ wf assume --timeout 30s

Options

      --cluster string     Cluster name you wish to assume
      --dry-run            Shows the resource but does not apply or create
      --expire duration    Expiration of the role assumption. If provided, implies --force-new. Defaults to 1hr if not provided.
      --force-new          Forces creation of a new role assumption even if an existing session is active and still valid. Automatically set if an explicit --expire is provided.
  -h, --help               help for assume
      --namespace string   Namespace you wish to assume into
      --timeout duration   Timeout for access to be granted. Defaults to 20s if not provided. (default 30s)

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
      --force              Used to force an operation to happen (default: false)
      --no-wait            Indicates we should not wait for resources to provision
  -o, --output string      Output format of the resource (json,yaml,table,template) (default "table")
      --profile string     Use a profile other than your default for this command
      --show-headers       Indicates we should display headers on table out (default true)
      --verbose            Enables verbose logging for debugging purposes (default: false)
  -w, --workspace string   The workspace you are operating within

SEE ALSO

  • wf - wf provides a cli for Wayfinder
Last updated on 11 Mar 2024