How do I create a Workspace Access Token?
Prerequisites
What are Workspace Access Tokens?
Wayfinder's Workspace Access Tokens provide a set of access permissions for your CI/CD pipelines to access your cloud resources. The granted permissions are isolated to the application's workload for the stated workspace and environment.
CLI commands
Creating a workspace access token is a two-step process:
- Create the token
- Assign access roles that'll give the token access to clusters and namespaces in your workspace.
Here's the details:
FORMAT to create the token:
wf create workspaceaccesstoken TOKEN-NAME
EXAMPLE
wf create workspaceaccesstoken wf-app1deploy
EXPLANATION
In the above example you've created a workspace access token called app1-token.
FORMAT to assign an access role (i.e. permissions to access a cluster/namespace) to an access token.
wf assign accessrole --workspace-access-token TOKEN-NAME --role ROLENAME --cluster CLUSTERNAME --namespace NAMESPACE
EXAMPLE
wf assign accessrole --workspace-access-token wf-app1deploy --role cluster.deployment-readonly --cluster aks-2eqk9
wf assign accessrole --workspace-access-token wf-app1deploy --role cluster.deployment --cluster aks-2eqk9
wf assign accessrole --workspace-access-token wf-app1deploy --role namespace.deployment --cluster aks-2eqk9 --namespace app1-demo1
EXPLANATION
In the above example you've granted wf-app1deploy token with cluster/namespace access role permissions as follow:
- cluster.deployment-readonly: Cluster-wide read access to resources required for namespace deployments using access tokens
- cluster.deployment: Provision standard resources for access token deployments to any namespace in a cluster
- namespace.deployment: Provisioning standard resources to a namespace for access token deployments
FORMAT to assign Wayfinder role to an access token, giving access to Wayfinder itself.
wf assign wayfinderrole --workspace-access-token TOKEN-NAME --role ROLENAME
EXAMPLE
wf assign wayfinderrole --workspace-access-token wf-app1deploy --role workspace.appdeployer
wf assign wayfinderrole --workspace-access-token wf-app1deploy --role workspace.appmanager
EXPLANATION
In the above example you've granted wf-app1deploy wayfinder role access permissions as follow:
- workspace.appdeployer: Deploy applications via Wayfinder
- workspace.appmanager: Create, update and delete applications and their environments
Web Interface Instructions
Screenshots
Create a Workspace Access Token for CI/CD pipeline
View Wayfinder variables and their values
Steps
- Expand Workspaces > Your-Workspace-Name, and then navigate to Settings
- Select the Access Token's tab
- Click the + Access Token button
- Provide the name for the workspace access token e.g.,
wf-app1deploy - Provide a description
- Under Assign Wayfinder Roles tick:
- workspace.appdeployer
- workspace.appmanager
The above roles grants the workspace access token permissions to create ephemeral application environments and deploy to them on the PR preview cluster.
- Click the Save button
- Copy the values for WAYFINDER_TOKEN, WAYFINDER_WORKSPACE and WAYFINDER_SERVER
- Under Cluster Roles create:
- cluster.deployment-readonly
- cluster.deployment
- namespace.deployment
Take note of the variables (WAYFINDER_TOKEN, WAYFINDER_WORKSPACE and WAYFINDER_SERVER) and their corresponding values. You will need it for your GitHub workflow variables.