Skip to main content
Version: 1.5

wf create robot

wf create robot

Creates a robot token use to access wayfinder or workspace clusters


Used to create robot tokens to permit robot access to managed resources (API, clusters). Robot tokens in Wayfinder are exchanged for ephemeral access tokens with short-lived lifecycles.

Note, robot tokens alone have no permissions. To grant access, see:

$ wf assign role --help

The default output from this command is the environment variables containing the token, endpoint and workspace. These are usually copied as secrets into your chosen CI.

Generated tokens are purposely a one-time operation and cannot be retrieved afterwards. In order to get a new token you must re-generate (invalidating any previous tokens) - see (wf create robot-token --help)

Robot tokens for application deployment purposes may take advantage of a native profiling mode. For a short amount of time the robot may access the cluster and its usage pattern is used to devise a policy. Note, this does not invalidate any security policies in place and the scope of permissions will not leave the namespace. It does however ensure all permissions are the closest possible to "least privilege".

wf create robot <name> [flags]


# Create a robot
$ wf create robot <name>

# Create a robot token and generate a Wayfinder config
$ wf create robot <name> [options] --show-config -d "My deployment token"

# Regenerate and replace current robot token
$ wf create robot-token <name>

# Assign permissions to robots via the assign command
$ wf assign role --help

# View all policies assigned to the robot
$ wf get policy --robot <robot name>

# Create a robot token and associates a policy which allows the robot to
# be profiled and learn the permissions it needs from actual usage. Note,
# profiled tokens are enabled for 1 hour after which time the policy is frozen.
$ wf create robot <name> --learning --cluster <name> --namespace <name>

# Enable or put the robot token into a learning mode. You can then
# use the token in CI. The token is unable to violate any security policies
# in the workspace but will learn the permissions as required
$ wf enable robot learning <name>

You can test the above via
WAYFINDER_CONFIG=<path> wf [commands]


      --cluster string       Cluster name you wish to scope the learning robot to
-d, --description string Description of the robot
--dry-run Render the resource to screen rather than implement
-h, --help help for robot
--learning Indicates the token learns the permissions from usage
--namespace string Namespace you wish to scope the learning robot to
--non-interactive Do not prompt for user input
--show-config Write out a Wayfinder configuration file with robot
--show-token Show only the raw token

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within