Skip to main content

wf create platformaccesstoken

wf create platformaccesstoken

Creates a platform access token to access Wayfinder or workspace clusters


Creates platform-scoped access tokens to permit automated access to managed resources (API, clusters) across Wayfinder. Access tokens are exchanged upon usage for ephemeral access tokens with short-lived lifecycles.

Access tokens have no permissions on creation. To grant access, see 'assign':

For cluster access: $ wf assign accessrole --help For access to Wayfinder itself: $ wf assign wayfinderrole --help

The default output from this command is the environment variables containing the token and endpoint. These are usually copied as secrets into your chosen CI.

Generated tokens are only visible on creation and cannot be retrieved if lost. You can reset a token and get a new one, invalidating any previous ones, using the --reset-token flag to this command.

wf create platformaccesstoken <name> [flags]


# Create a platform-scoped access token (to automate all Wayfinder features)
$ wf create platformaccesstoken <name>

# Create a token and generate a Wayfinder config, with an optional description:
$ wf create platformaccesstoken <name> [options] --show-config -d "My deployment token"

# Regenerate and replace current token for an existing access token (any assigned roles are preserved):
$ wf create -w <workspace> platformaccesstoken <name> --reset-token

# Assign permissions in workspace clusters to access tokens via the assign command:
$ wf assign accessrole --platform-access-token <name> --role <role name>

# Assign permissions to use Wayfinder to access tokens via the assign wayfinderole command:
$ wf assign wayfinderrole --platform-access-token <name> --role <role name>

You can test the above via
WAYFINDER_CONFIG=<path> wf [commands]


  -d, --description string   Optional description of the access token
--dry-run Render the resource to screen rather than implement
-h, --help help for platformaccesstoken
--non-interactive Do not prompt for user input
--reset-token Reset the token if the named token already exists (default: error if already exists)
--show-config Write out a Wayfinder configuration file with access token
--show-token Show only the raw token

Options inherited from parent commands

      --debug              Debug / trace logging (default: false)
--force Force operation to happen (default: false)
--no-wait Do not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your current - to change current: wf use profile NAME
--show-headers Display headers on table out (default true)
--verbose Verbose logging (default: false)
-w, --workspace string Workspace to use