Access Tokens
Scope
You can create access tokens to automate deployments and other tasks in your CI system. Access tokens provide a set of access permission for you to access your cloud resources and the permissions are assigned via access roles. The duration of access can be static or temporary.
Access tokens can be at the workspace level or at the platform level.
CLI Quick Reference
| Instruction | CLI Command |
|---|---|
| Create an access token at workspace level | wf create workspaceaccesstoken TOKEN-NAME |
| Create an access token at the platform level | wf create platformaccesstoken TOKEN-NAME |
| Remove the access token at workspace or platform level | wf delete workspaceaccesstoken TOKEN-NAME wf delete platformaccesstoken TOKEN-NAME |
| Assign an access role at workspace or platform level (to access the cluster directly) | wf assign accessrole |
| Assign the access of a particular role in Wayfinder (to access Wayfinder or a cluster via Wayfinder) | wf assign wayfinderrole |
Workspace level access tokens
Using the CLI
-
Create a workspace level access token:
wf create workspaceaccesstoken TOKEN-NAME -
Remove a workspace level access token:
wf delete workspaceaccesstoken TOKEN-NAME -
Assign an access role to the workspace level access token:
wf assign accessrole --workspace-access-token TOKEN-NAME --role ROLENAME
To regenerate an access token use the --regenerate flag with the wf create command. If you have used the old token, for example in a CI system, you must replace all occurences of the old token with the new one.
Using Wayfinder's web interface
Users can create an access token that applies to one or more workspaces.
- Select Workspaces > Your-Workspace-Name, and navigate to Settings and click the Access Tokens tab
- Select the Create Access Token button
- Enter the details:
- Name: Provide a name for the access token
- Description: Provide a description for the access token
- Assign an initial role by checking one or more of the checkboxes. Wayfinder allows for access roles to be updated after the access token has been created.
- Click Save
After an access token has been created for a workspace, you can assign access to clusters and namespaces in that workspace.
- Role: Select the relevant access role from the drop-down that should be granted
- Cluster: Select the relevant cluster. If non-specified, then all clusters will be granted the role access.
- Namespace: Select the relevant namespace in the cluster. If non specified, then all namespaces will be granted the role access.
To regenerate an access token, click the Regenerate token button. If you have used the old token, for example in a CI system, you must replace all occurences of the old token with the new one.
For help, click on the Usage button.
Users can assign access tokens at the workspace level when they create their environments.
- Select Workspaces > Your-Workspace-Name, and navigate to Applications.
- Select your application's name
- Select your environment's name and click on the Access Token tab.
- Use the slider to Enable or Disable the access token
By default, Wayfinder supplies a disabled access token at the workspace level. Once it is enabled, Wayfinder will create the access token and provide the needed permissions.
If you have not created an environment yet, then you can do so by following the instructions in the Deploy Application section.
Platform level access tokens
You may need to allow access at the platform-level for your CI integration.
Using the CLI
-
Create a platform level access token:
wf create platformaccesstoken TOKEN-NAME -
Delete a platform level access token:
wf delete platformaccesstoken TOKEN-NAME -
Assign an initial role that applies to all workspaces:
wf assign wayfinderrole --platform-access-token TOKEN-NAME --role ROLENAME -
Assign an initial role that applies to a specific workspaces:
Wayfinder allows for access roles to be updated after the access token has been created.
To regenerate an access token use the --regenerate flag with the wf create command. If you have used the old token, for example in a CI system, you must replace all occurences of the old token with the new one.
Using Wayfinder's web interface
- Click Admin, and navigate to Access > Tokens
- Select the Create Access Token button
- Enter the details:
- Name: Provide a name for the access token
- Description: Provide a description for the access token
- Assign an initial role by checking one or more of the checkboxes. Wayfinder allows for access roles to be updated after the access token has been created.
- Click Save
To regenerate an access token, click the Regenerate token button. If you have used the old token, for example in a CI system, you must replace all occurences of the old token with the new one.
For help, click on the Usage button.
To download and install the Wayfinder CLI, see Get the CLI.
Use the access token to access a cluster via kubeconfig
You can exchange an access token for a short-lived access token to access a cluster. To do this, you create an access token and assign it the cluster.deployment role, use the environment
variables generated for the access token in your CI system, and then run wf kubeconfig as shown below.
# Create an access token and assign it the cluster.deployment role
$ wf create workspaceaccesstoken <NAME> ..
# Or if the access token already exists you can assign a role
$ wf assign accessrole cluster.deployment --workspaceaccesstoken <NAME>
...
# Use the access token in CI pipeline - assuming you have taken the WAYFINDER_TOKEN,
# WAYFINDER_SERVER and WAYFINDER_WORKSPACE environment variables set. You can download the Wayfinder CLI from
# https://docs.appvia.io/wayfinder/releases or use docker image quay.io/wayfinder/wftoolbox:<VERSION>.
# Provision a kubeconfig configuration file to speak to a cluster.
$ wf kubeconfig --cluster <NAME>
# Run kubectl commands as needed for the cluster
$ kubectl [commands]