Skip to main content

Access Tokens

Scope

You can create access tokens to automate deployments and other tasks in your CI system. Access tokens provide a set of access permission for you to access your cloud resources and the permissions are assigned via access roles. The duration of access can be static or temporary.

Access tokens can be at the workspace level or at the platform level.


CLI Quick Reference

InstructionCLI Command
Create an access token at workspace levelwf create workspaceaccesstoken TOKEN-NAME
Create an access token at the platform levelwf create platformaccesstoken TOKEN-NAME
Remove the access token at workspace or platform levelwf delete workspaceaccesstoken TOKEN-NAME
wf delete platformaccesstoken TOKEN-NAME
Assign an access role at workspace or platform level
(to access the cluster directly)
wf assign accessrole
Assign the access of a particular role in Wayfinder
(to access Wayfinder or a cluster via Wayfinder)
wf assign wayfinderrole

Workspace level access tokens

Using the CLI

To regenerate an access token use the --regenerate flag with the wf create command. If you have used the old token, for example in a CI system, you must replace all occurences of the old token with the new one.


Using Wayfinder's web interface

Users can create an access token that applies to one or more workspaces.

  • Select Workspaces > Your-Workspace-Name, and navigate to Settings and click the Access Tokens tab
  • Select the Create Access Token button
  • Enter the details:
    • Name: Provide a name for the access token
    • Description: Provide a description for the access token
  • Assign an initial role by checking one or more of the checkboxes. Wayfinder allows for access roles to be updated after the access token has been created.
  • Click Save

After an access token has been created for a workspace, you can assign access to clusters and namespaces in that workspace.

  • Role: Select the relevant access role from the drop-down that should be granted
  • Cluster: Select the relevant cluster. If non-specified, then all clusters will be granted the role access.
  • Namespace: Select the relevant namespace in the cluster. If non specified, then all namespaces will be granted the role access.

To regenerate an access token, click the Regenerate token button. If you have used the old token, for example in a CI system, you must replace all occurences of the old token with the new one.

For help, click on the Usage button.


Users can assign access tokens at the workspace level when they create their environments.

  • Select Workspaces > Your-Workspace-Name, and navigate to Applications.
  • Select your application's name
  • Select your environment's name and click on the Access Token tab.
  • Use the slider to Enable or Disable the access token

By default, Wayfinder supplies a disabled access token at the workspace level. Once it is enabled, Wayfinder will create the access token and provide the needed permissions.

If you have not created an environment yet, then you can do so by following the instructions in the Deploy Application section.


Platform level access tokens

You may need to allow access at the platform-level for your CI integration.

Using the CLI

Wayfinder allows for access roles to be updated after the access token has been created.

To regenerate an access token use the --regenerate flag with the wf create command. If you have used the old token, for example in a CI system, you must replace all occurences of the old token with the new one.


Using Wayfinder's web interface

  • Click Admin, and navigate to Access > Tokens
  • Select the Create Access Token button
  • Enter the details:
    • Name: Provide a name for the access token
    • Description: Provide a description for the access token
  • Assign an initial role by checking one or more of the checkboxes. Wayfinder allows for access roles to be updated after the access token has been created.
  • Click Save

To regenerate an access token, click the Regenerate token button. If you have used the old token, for example in a CI system, you must replace all occurences of the old token with the new one.

For help, click on the Usage button.


To download and install the Wayfinder CLI, see Get the CLI.

Use the access token to access a cluster via kubeconfig

You can exchange an access token for a short-lived access token to access a cluster. To do this, you create an access token and assign it the cluster.deployment role, use the environment variables generated for the access token in your CI system, and then run wf kubeconfig as shown below.

# Create an access token and assign it the cluster.deployment role
$ wf create workspaceaccesstoken <NAME> ..

# Or if the access token already exists you can assign a role
$ wf assign accessrole cluster.deployment --workspaceaccesstoken <NAME>

...
# Use the access token in CI pipeline - assuming you have taken the WAYFINDER_TOKEN,
# WAYFINDER_SERVER and WAYFINDER_WORKSPACE environment variables set. You can download the Wayfinder CLI from
# https://docs.appvia.io/wayfinder/releases or use docker image quay.io/appvia-wayfinder/wftoolbox:<VERSION>.
# Provision a kubeconfig configuration file to speak to a cluster.
$ wf kubeconfig --cluster <NAME>

# Run kubectl commands as needed for the cluster
$ kubectl [commands]