public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-04-14 10:25:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
rancher-docs/versioned_docs/version-2.13/api/workflows/tokens.md
Billy Tat 24fc5a657c Merge release v2.13.0 to main (#2091) 
* Sync main to v2.13.0 (#2065)

* It's bad form to ask users to pass something they just curled from the internet directly to sh

Updated the instructions for uninstalling the rancher-system-agent to use a temporary script file instead of piping directly to sh.

* doc(rancher-security): improve structure and content to latest, v2.13-preview and v2.12 (#2024)

- add Rancher Kubernetes Distributions (K3s/RKE2) Self-Assessment and Hardening Guide section
- add kubernetes cluster security best practices link to rancher-security section
- add k3s-selinux and update selinux-rpm details
- remove rhel/centos 7 support

Signed-off-by: Andy Pitcher <andy.pitcher@suse.com>

* Updating across supported versions and translations.

Signed-off-by: Sunil Singh <sunil.singh@suse.com>

---------

Signed-off-by: Andy Pitcher <andy.pitcher@suse.com>
Signed-off-by: Sunil Singh <sunil.singh@suse.com>
Co-authored-by: Tejeev <tj@rancher.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Sunil Singh <sunil.singh@suse.com>

* Update roletemplate aggregation doc and version information

* Add versioned docs

* Remove ext token and kubeconfig feature flag sections and document bearer Token

* Update corresponding v2.13 pages

* update doc for pni in gke

* Adding reverted session idle information from PR 1653

Signed-off-by: Sunil Singh <sunil.singh@suse.com>

* [2.13.0] Add versions table entry

* [2.13.0] Add webhook version

* [2.13.0] Add CSP Adapter version

* [2.13.0] Add deprecated feature table entry

* [2.13.0] Update CNI popularity stats

* Update GKE Cluster Configuration for Project Network Isolation instructions

* Fix link and port to 2.13

* [2.13.0] Add Swagger JSON

* [v2.13.0] Add info about Azure AD Roles claims (#2079)

* Add info about Azure AD roles claims compatibility

* Apply suggestions from code review

Co-authored-by: Sunil Singh <sunil.singh@suse.com>

* Add suggestions to v2.13

---------

Co-authored-by: Sunil Singh <sunil.singh@suse.com>

* [2.13.0] Remove preview designation

* user public api docs (#2069)

* user public api docs

* Apply suggestions from code review

Co-authored-by: Andreas Kupries <akupries@suse.com>

* Apply suggestions from code review

Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com>

* explain plaintext is never stored

* add users 2.13 versioned docs

* remove extra ```

* Apply suggestions from code review

Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com>

* add space before code block

---------

Co-authored-by: Andreas Kupries <akupries@suse.com>
Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com>
Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com>

* support IPv6 (#2041)

* [v2.13.0] Add Configure GitHub App page (#2081)

* Add Configure GitHub App page

* Apply suggestions from code review

Co-authored-by: Billy Tat <btat@suse.com>

* Fix header/GH URL & add suggestions to v2.13

* Apply suggestions from code review

Co-authored-by: Petr Kovar <pknbe@volny.cz>

* Apply suggestions from code review to v2.13

* Add note describing why to use Installation ID

* Apply suggestions from code review

Co-authored-by: Billy Tat <btat@suse.com>

---------

Co-authored-by: Billy Tat <btat@suse.com>
Co-authored-by: Petr Kovar <pknbe@volny.cz>

* [v2.13.0] Add info about Generic OIDC Custom Mapping (#2080)

* Add info about Generic OIDC Custom Mapping

* Apply suggestions from code review

Co-authored-by: Sunil Singh <sunil.singh@suse.com>
Co-authored-by: Billy Tat <btat@suse.com>

* Apply suggestions from code review

Co-authored-by: Sunil Singh <sunil.singh@suse.com>
Co-authored-by: Billy Tat <btat@suse.com>

* Add suggestions to v2.13

* Remove repetitive statement in intro

* Move Prereq intro/note to appropriate section

* Fix formatting, UI typo, add Custom Claims section under Configuration Reference section

* Add section about how a custom groups claim works / note about search limitations for groups in RBAC

---------

Co-authored-by: Sunil Singh <sunil.singh@suse.com>
Co-authored-by: Billy Tat <btat@suse.com>

* [v2.13.0] Add info about OIDC SLO support (#2086)

* Add shared file covering OIDC SLO support to OIDC auth pages

* Ad How to get the End Session Endpoint steps

* Add generic curl exampleto retrieve end_session_endpoint

* [2.13.0] Bump release date

---------

Signed-off-by: Andy Pitcher <andy.pitcher@suse.com>
Signed-off-by: Sunil Singh <sunil.singh@suse.com>
Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com>
Co-authored-by: Tejeev <tj@rancher.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Sunil Singh <sunil.singh@suse.com>
Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com>
Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>
Co-authored-by: Petr Kovar <petr.kovar@suse.com>
Co-authored-by: Krunal Hingu <krunal.hingu222@gmail.com>
Co-authored-by: Raul Cabello Martin <raul.cabello@suse.com>
Co-authored-by: Andreas Kupries <akupries@suse.com>
Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com>
Co-authored-by: Jack Luo <jiaqi.luo@suse.com>
Co-authored-by: Petr Kovar <pknbe@volny.cz>
2025-11-25 10:51:39 -08:00

4.0 KiB
Raw Permalink Blame History

title
title
Tokens
<head> </head>

Token Resource

Rancher has an imperative API resource tokens.ext.cattle.io that allows you to generate tokens for authenticating with Rancher.

kubectl api-resources --api-group=ext.cattle.io

To get a description of the fields and structure of the Token resource, run:

kubectl explain tokens.ext.cattle.io

Creating a Token

:::caution The Token value is only returned once in the status.value field. :::

Since Rancher v2.13.0 the status.bearerToken now contains a fully formed and ready-to-use Bearer token that can be used to authenticate to Rancher API.

Only a valid and active Rancher user can create a Token. Otherwise, you will get an error displayed (Error from server (Forbidden)...) when attempting to create a Token.

kubectl create -o jsonpath='{.status.value}' -f -<<EOF
apiVersion: ext.cattle.io/v1
kind: Token
EOF
Error from server (Forbidden): error when creating "STDIN": tokens.ext.cattle.io is forbidden: user system:admin is not a Rancher user

A Token is always created for the user making the request. Attempting to create a Token for a different user, by specifying a different spec.userID, is forbidden and will fail.

  • The spec.description field can be set to an arbitrary human-readable description of the Token's purpose. The default value is empty.

  • The spec.kind field can be set to the kind of Token. The value session indicates a login Token. All other values, including the default empty string, indicate a kind of derived Token.

  • The metadata.name and metadata.generateName fields are ignored, and the name of the new Token is automatically generated using the prefix token-.

    kubectl create -o jsonpath='{.status.value}' -f -<<EOF
apiVersion: ext.cattle.io/v1
kind: Token
spec:
  description: My Token
EOF

  • If the spec.ttl is not specified, the Token is created with the expiration time defined in the auth-token-max-ttl-minutes setting. The default expiration time is 90 days. If spec.ttl is specified, it should be greater than 0 and less than or equal to the value of the auth-token-max-ttl-minutes setting expressed in milliseconds.

    kubectl create -o jsonpath='{.status.value}' -f -<<EOF
apiVersion: ext.cattle.io/v1
kind: Token
spec:
  ttl: 7200000 # 2 hours
EOF

Listing Tokens

Listing previously generated Tokens can help clean up tokens that are no longer needed (e.g., they were issued temporarily). Admins can list all Tokens, while regular users can only see their own.

kubectl get tokens.ext.cattle.io
NAME          KIND   TTL   AGE
token-chjc9          90d   18s
token-6fzgj          90d   16s
token-8nbrm          90d   14s

Use -o wide to get more details:

kubectl get tokens.ext.cattle.io -o wide
NAME          USER         KIND   TTL   AGE   DESCRIPTION
token-chjc9   user-jtghh          90d   24s   example
token-6fzgj   user-jtghh          90d   22s   box
token-8nbrm   user-jtghh          90d   20s   jinx

Viewing a Token

Admins can get any Token, while regular users can only get their own.

kubectl get tokens.ext.cattle.io token-chjc9
NAME          KIND   TTL   AGE
token-chjc9          90d   18s

Use -o wide to get more details:

kubectl get tokens.ext.cattle.io token-chjc9 -o wide
NAME          USER         KIND   TTL   AGE   DESCRIPTION
token-chjc9   user-jtghh          90d   24s   example

Deleting a Token

Admins can delete any Token, while regular users can only delete their own.

kubectl delete tokens.ext.cattle.io token-chjc9
token.ext.cattle.io "token-chjc9" deleted

Updating a Token

Only the metadata fields spec.description, spec.ttl, and spec.enabled can be updated. All other spec fields are immutable. Admins can extend the spec.ttl field, while regular users can only reduce the value.

An example kubectl command to edit a Token:

kubectl edit tokens.ext.cattle.io token-zp786
Reference in New Issue View Git Blame Copy Permalink