API tokens

API tokens are used to authenticate requests to the Cloudfleet API. API Tokens are designed to allow programmatic access to Cloudfleet API and CFKE clusters. You may find API tokens useful for scripts, or CI pipelines. Tokens consist of an access token ID and a secret.

Please note that the API tokens are not designed for human users. Human users should use the SSO to authenticate against the CLI, CKFE control plane or the console. API tokens are designed for machines, such as CI/CD pipelines, scripts, or other automation tools.

Depending on their permissions, API tokens give privileged access to your organization’s resources. You can create multiple API tokens, each with different permissions. For example, you can create a token that only has read access to your organization’s resources, or a token that has full access to all resources.

Token secrets are sensitive and should be treated like passwords. Keep your secrets secure and do not share them publicly. If you believe your secret has been compromised, you can revoke it at any time.

Create an API token

  1. Navigate to the API tokens page.
  2. Click the Create button.
  3. Enter a human friendly name for the token.
  4. Select a role for the token. You can choose Administrator or User.
  5. Click the Save button.
  6. Copy the access Token ID and secret. Store the secret in a secure location. You will not be able to see the token again.

You can create a token using the CLI by running the following command:

cloudfleet tokens create .name: HUMAN_FRIENDLY_NAME, .role: ROLE

Replace HUMAN_FRIENDLY_NAME with a human-friendly name for the token and ROLE with the role you want to assign to the token. You can choose between Administrator or User.

List the existing tokens

  1. Navigate to the API tokens page.
  2. You will see a list of all the tokens you have created.
cloudfleet tokens list

Regenerate the secret of a token

You can regenerate the secret of a token at any time. This will invalidate the old secret and generate a new one.

  1. Navigate to the API tokens page.
  2. Click the Regenerate button next to the token you want to rotate the secret for.
  3. Copy the new secret. Store the secret in a secure location. You will not be able to see the token again.

You can regenerate the secret of a token using the CLI by running the following command:

cloudfleet tokens --profile cloudfleetou regenerate 2iKo4Asy51EUx2gpJFW76t

Delete a token

  1. Navigate to the API tokens page.
  2. Click the Delete button next to the token you want to delete.
  3. Confirm the deletion.
cloudfleet tokens --profile cloudfleetou delete TOKEN_ID

Configure the CLI to use a token

You can add a new profile to the CLI configuration to use a token by running the following command:

cloudfleet auth add-profile token PROFILE_NAME ORGANIZATION_ID TOKEN_ID TOKEN_SECRET

Replace PROFILE_NAME with a name for the profile, ORGANIZATION_ID with the ID of the organization you want to use the token for, TOKEN_ID with the access token ID, and TOKEN_SECRET with the secret of the token.

Use API tokens to access CFKE clusters

If you are using cloudfleet clusters kubeconfig command with a profile that uses a token, you use the token to authenticate against the CFKE cluster. Same as with the regular user accounts, the role of the token determines the permissions the token has in the cluster. When you create a user and grant them Administrator or User role on Cloudfleet, this is translated in the Kubernetes as cluster-admin and view roles respectively. (See User management for more information on how user and token role.)

API tokens are translated into Kubernetes users by prefixing the token ID with service-account- and converting it to lowercase. For example, an API key with ID nFYyVdtg8K1aDujwk3YFh1 is translated into cluster as service-account-nfyyvdtg8k1adujwk3yfh1.

To grant additional permissions to a token in the Kubernetes RBAC, you can create a RoleBinding or ClusterRoleBinding for the token. For example, to grant a token with ID nFYyVdtg8K1aDujwk3YFh1 the cluster-admin role in the your-namespace namespace, you can create a RoleBinding like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: cluster-admin-binding
    namespace: your-namespace
subjects:
    - kind: User
      name: service-account-nfyyvdtg8k1adujwk3yfh1
      apiGroup: rbac.authorization.k8s.io
roleRef:
    kind: ClusterRole
    name: cluster-admin
    apiGroup: rbac.authorization.k8s.io

Please see the Kubernetes RBAC documentation for more information on how to manage permissions in Kubernetes.

Previous
← User management
Next
Service quotas →
On this page