API tokens

API tokens are used to authenticate requests to the Cloudfleet API. API Tokens are designed to allow programmatic access to Cloudfleet API and CFKE clusters. You may find API tokens useful for scripts, or CI pipelines. Tokens consist of an access token ID and a secret.

Please note that the API tokens are not designed for human users. Human users should use the SSO to authenticate against the CLI, CKFE control plane or the console. API tokens are designed for machines, such as CI/CD pipelines, scripts, or other automation tools.

Depending on their permissions, API tokens give privileged access to your organization’s resources. You can create multiple API tokens, each with different permissions. For example, you can create a token that only has read access to your organization’s resources, or a token that has full access to all resources.

Token secrets are sensitive and should be treated like passwords. Keep your secrets secure and do not share them publicly. If you believe your secret has been compromised, you can revoke it at any time.

Create an API token

cloudfleet tokens create .name: HUMAN_FRIENDLY_NAME, .role: ROLE

List the existing tokens

cloudfleet tokens list

Regenerate the secret of a token

You can regenerate the secret of a token at any time. This will invalidate the old secret and generate a new one.

cloudfleet tokens --profile cloudfleetou regenerate 2iKo4Asy51EUx2gpJFW76t

Delete a token

cloudfleet tokens --profile cloudfleetou delete TOKEN_ID

Configure the CLI to use a token

You can add a new profile to the CLI configuration to use a token by running the following command:

cloudfleet auth add-profile token PROFILE_NAME ORGANIZATION_ID TOKEN_ID TOKEN_SECRET

Replace PROFILE_NAME with a name for the profile, ORGANIZATION_ID with the ID of the organization you want to use the token for, TOKEN_ID with the access token ID, and TOKEN_SECRET with the secret of the token.

Alternatively, you can use environment variables to authenticate without creating a profile. The CLI automatically recognizes the following environment variables:

export CLOUDFLEET_ORGANIZATION_ID=your-organization-id
export CLOUDFLEET_ACCESS_TOKEN_ID=your-token-id
export CLOUDFLEET_ACCESS_TOKEN_SECRET=your-token-secret

This approach is particularly useful for CI/CD pipelines, scripts, and other automated workflows where you want to avoid storing credentials in configuration files.

Use API tokens to access CFKE clusters

If you are using cloudfleet clusters kubeconfig command with a profile that uses a token, you use the token to authenticate against the CFKE cluster. Same as with the regular user accounts, the role of the token determines the permissions the token has in the cluster. When you create a user and grant them Administrator or User role on Cloudfleet, this is translated in the Kubernetes as cluster-admin and view roles respectively. (See User management for more information on how user and token role.)

API tokens are translated into Kubernetes users by prefixing the token ID with service-account- and converting it to lowercase. For example, an API key with ID nFYyVdtg8K1aDujwk3YFh1 is translated into cluster as service-account-nfyyvdtg8k1adujwk3yfh1.

To grant additional permissions to a token in the Kubernetes RBAC, you can create a RoleBinding or ClusterRoleBinding for the token. For example, to grant a token with ID nFYyVdtg8K1aDujwk3YFh1 the cluster-admin role in the your-namespace namespace, you can create a RoleBinding like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: cluster-admin-binding
    namespace: your-namespace
subjects:
    - kind: User
      name: service-account-nfyyvdtg8k1adujwk3yfh1
      apiGroup: rbac.authorization.k8s.io
roleRef:
    kind: ClusterRole
    name: cluster-admin
    apiGroup: rbac.authorization.k8s.io

Please see the Kubernetes RBAC documentation for more information on how to manage permissions in Kubernetes.