Itential Automation GatewayDeploy and manageManage

Manage users and credentials

Login and credentials

The login command allows you to log in to a server running in server mode. All users you create within the system have full access to all resources, secrets, and services that the server provides.

First time login

When you run the server for the first time, the system creates a temporary admin account with a temporary password of admin.

Run the following command from the gateway client and enter admin as the password:

$iagctl login admin

The system then prompts you to enter a new password. Follow all remaining proimpts to confirm your password and complete your first login.

Admin login process

To create the admin login:

  1. Start the gateway server
  2. The system creates the temporary admin user and password
  3. Log in with the temporary admin user and password
  4. Change password
  5. Authenticate to gateway server
  6. The server generates an API key that is passed in gRPC calls

User login with temporary password

To create a user with a temporary password flag:

  1. The user logs in with the temporary password
  2. The system prompts the user to change the password (required)
  3. The user changes the password
  4. The user authenticates to the gateway server
  5. The server generates an API key that is passed in gRPC calls

Standard login process

Once a user changes their temporary password, their login process resembles the following:

  1. The user logs in with their password
  2. The user authenticates to the gateway server
  3. The server generates an API key that is passed in gRPC calls

Reset admin password

Resetting the admin password requires access to the server instance to perform the reset action.

To reset the password, run:

$iagctl server --recover-admin-user

This command prompts you to enter a new password for the admin user if it’s already set.

Manage users

Create a user account

The create user command creates a new user.

$iagctl users create <username> [flags]

When creating a user account for another user, use the --temp-password flag. This requires the user to change their password the first time they log in to the server.

All users within the system are power users, so ensure that any users you create are trusted.

View users

The get users command displays a list of all users stored within the database.

$iagctl users get [flags]

View user details

The describe user command displays all information about a specific user in the database. It shows when the user was created as well when they last logged in. A login event occurs when the user successfully runs the login command from an iagctl client against the gateway server.

$iagctl users describe <username> [flags]

Delete user

The delete user command deletes a user from the database. You cannot undo deletion operations. When you delete a user, the system removes all API keys associated with that user and denies further access.

$iagctl users delete <username> [flags]