Version: 1.3

wf create robot

Creates a robot token use to access wayfinder or workspace clusters

Synopsis

Used to create robot tokens to permit robot access to managed resources (API, clusters). Robot tokens in Wayfinder are exchanged for ephemeral access tokens with short-lived lifecycles.

Note, robot tokens alone have no permissions. To grant access, see:

$ wf assign role --help

The default output from this command is the environment variables containing the token, endpoint and workspace. These are usually copied as secrets into your chosen CI.

Generated tokens are purposely a one-time operation and cannot be retrieved afterwards. In order to get a new token you must re-generate (invalidating any previous tokens) - see (wf create robot-token --help)

Robot tokens for application deployment purposes may take advantage of a native profiling mode. For a short amount of time the robot may access the cluster and its usage pattern is used to devise a policy. Note, this does not invalidate any security policies in place and the scope of permissions will not leave the namespace. It does however ensure all permissions are the closest possible to "least privilege".

wf create robot <name> [flags]

Examples

# Create a robot
$ wf create robot <name>

# Create a robot token and generate a Wayfinder config
$ wf create robot <name> [options] --show-config -d "My deployment token"

# Regenerate and replace current robot token
$ wf create robot-token <name>

# Assign permissions to robots via the assign command
$ wf assign role --help

# View all policies assigned to the robot
$ wf get policy --robot <robot name>

# Create a robot token and associates a policy which allows the robot to
# be profiled and learn the permissions it needs from actual usage. Note,
# profiled tokens are enabled for 1 hour after which time the policy is frozen.
$ wf create robot <name> --learning --cluster <name> --namespace <name>

# Enable or put the robot token into a learning mode. You can then
# use the token in CI. The token is unable to violate any security policies
# in the workspace but will learn the permissions as required
$ wf enable robot learning <name>

You can test the above via
WAYFINDER_CONFIG=<path> wf [commands]

Options

      --cluster string       Cluster name you wish to scope the learning robot to
  -d, --description string   Description of the robot
      --dry-run              Render the resource to screen rather than implement
  -h, --help                 help for robot
      --learning             Indicates the token learns the permissions from usage
      --namespace string     Namespace you wish to scope the learning robot to
      --non-interactive      Do not prompt for user input
      --show-config          Write out a Wayfinder configuration file with robot
      --show-token           Show only the raw token

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
      --force              Used to force an operation to happen (default: false)
      --no-wait            Indicates we should not wait for resources to provision
  -o, --output string      Output format of the resource (json,yaml,table,template) (default "table")
      --profile string     Use a profile other than your default for this command
      --show-headers       Indicates we should display headers on table out (default true)
      --verbose            Enables verbose logging for debugging purposes (default: false)
  -w, --workspace string   The workspace you are operating within

wf create robot​

Synopsis​

Examples​

Options​

Options inherited from parent commands​

SEE ALSO​

wf create robot

Synopsis

Examples

Options

Options inherited from parent commands

SEE ALSO