Skip to main content

wf assign accessrole

wf assign accessrole

Allows you to assign an access role (i.e. permissions to access a cluster/namespace) to an access token


Assigning an access role provides an access token with the right to access a cluster (or specific namespace). Workspace members can assign access roles subject to the access policies that the workspace owner (or Wayfinder administrators) have set up.

A typical example would be to create a workspace access token then assign deployment roles to it to permit deploying an application into a namespace of a cluster in the workspace.

If you wish to grant permissions for an access token to Wayfinder, rather than a cluster, see $ wf assign wayfinderrole --help

wf assign accessrole [flags]


# View all the roles that are available to assign. Use -o yaml to view the details of a role:
$ wf get accessroles

# Create a workspace-scoped access token and assign roles to permit deployment to a cluster
# namespace:
$ wf use workspace app1
$ wf create workspaceaccesstoken ci
# Assign cluster.deployment-readonly to grant cluster-wide read-only permissions needed for common deployment
# tasks like listing all namespaces:
$ wf assign accessrole --workspace-access-token ci --role cluster.deployment-readonly --cluster <cluster>
# Assign namespace.deployment to grant wider write access to the specific namespace for deployment:
$ wf assign accessrole --workspace-access-token ci --role namespace.deployment --cluster <cluster> --namespace <namespace>

# Assign roles to a global access token - note that the roles are still workspace-specific, so you
# must specify the workspace in which to assign the roles even for a platform token:
$ wf create platformaccesstoken ci-global
$ wf assign --platform-access-token ci-global --role cluster.deployment-readonly -w app1 --cluster <cluster>
$ wf assign --platform-access-token ci-global --role namespace.deployment -w app1 \
--cluster <cluster> --namespace <namespace>


      --cluster string                  Name of the cluster to grant access to
--dry-run Render the resource to screen rather than implement
-h, --help help for accessrole
--namespace string Namespace in the cluster to grant access to, for namespace-scoped roles
--namespaceclaim string Name of a namespace claim to determine the cluster and namespace from, for namespace-scoped roles
--non-interactive Do not prompt for user input
--platform-access-token string Platform-scoped access token to assign a role to (must specify one of --workspace-access-token OR --platform-access-token)
--role string Name of the access role to assign
--workspace-access-token string Workspace-scoped access token to assign a role to (must specify one of --workspace-access-token OR --platform-access-token)

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within


  • wf assign - Assign allows you to assign access roles (for cluster access) or wayfinder roles (for access to Wayfinder itself) to access tokens
  • wf assign accessrole wayfinderrole - Assigns a Wayfinder role to an access token, giving access to Wayfinder itself