Admin Tokens

Though users interact with strongDM by logging into their account and connecting to datasources and servers, this workflow isn’t useful for more automated functionality like log exports or automated provisioning/deprovisioning. That’s why you can create admin tokens to provide tokenized account access for fully automated strongDM use. This guide describes setting up and using admin tokens. To create an admin token, you’ll need to have admin access to the strongDM web UI.

Admin tokens are for administrative tasks, including:

Note: If you’re looking for service account, relay, or gateway tokens, check out the Service Account Guide, the Relay Guide, or the Gateway Guide respectively.

Setting up an admin token

Admin tokens come from Settings > Admin Tokens. Click on add token and the Create Admin Token page will come up. Here you can choose exactly which rights this admin token will have, and how long the token will be valid.

Create Admin Token

Give your token a name, select the appropriate options for your admin token use case, then click Create. The token will appear in a pop-up window. Copy this data now, as this is the only time the token will be visible.

Admin Token Secret

If you ever need to delete this token, you can do so from the main Settings > Admin Tokens page.

Using the admin token

Now that you have an admin token, you need to get it into your environment to use. The process is simple:

  1. Set the environment variable SDM_ADMIN_TOKEN. You can do this for the current shell by using export or make it more permanent by placing it in .bashrc or .bash_profile depending on your current distribution’s preference. You could also add this variable to the top of any shell scripts you’re planning to use SDM with.

  2. Run the sdm command with no additional authentication needed. Try an SDM admin command that is permitted to your admin token to verify that the authentication token is properly visible to SDM.

    If the output is unavailable: Unable to contact strongDM API, then the token was not properly read by SDM.

At this point you should be able to set up your scripts or automations to use sdm commands with no further configuration needed.