Portworx
PORTWORX.COM
Portworx Documentation has moved to https://docs.portworx.com
Portworx Enterprise version 2.13 has reached end of life and end of extended maintenance. Refer to the release support policy doc here.
Upgrade to the latest version of Portworx Enterprise for continued support. Documentation for the latest version of Portworx Enterprise can be found here.

Generate tokens

With Portworx, you can use the pxctl command-line tool to generate a token. Run the following command to access the built-in help and see the available flags:

pxctl auth token generate --help
Generate a self signed token based on a specified configuration yaml. The configuration defines your identity, roles, and groups to be used when generating a token.
e.g.
     name: Jim Stevens
     sub: jstevens@portworx.com/jstevens
     email: jstevens@portworx.com
     roles: ["system.user"]
     groups: ["px-engineering", "kubernetes-csi"]

Usage:
  pxctl auth token generate [flags]

Examples:
pxctl auth token generate --auth-config=<authconfig.yaml> --issuer <issuer> --ecdsa-private-keyfile <ecdsa key file> OR --rsa-private-keyfile <rsa key file> OR --shared-secret <secret>

Flags:
      --auth-config string             (Required) Auth account information file providing email, name, etc.
      --ecdsa-private-keyfile string   ECDSA Private file to sign token
  -h, --help                           help for generate
      --issuer string                  (Required) Issuer name of token. Do not use https:// in the issuer since it could indicate that this is an OpenID Connect issuer.
      --output string                  Output token to file instead of standard out
      --rsa-private-keyfile string     RSA Private file to sign token
      --shared-secret string           Shared secret to sign token
      --token-duration string          Duration of time where the token will be valid. Postfix the duration by using s for seconds, m for minutes, h for hours, d for days, and y for years. (default "1d")

Global Flags:
      --ca string            path to root certificate for ssl usage
      --cert string          path to client certificate for ssl usage
      --color                output with color coding
      --config string        config file (default is $HOME/.pxctl.yaml)
      --context string       context name that overrides the current auth context
  -j, --json                 output in json
      --key string           path to client key for ssl usage
      --output-type string   use "wide" to show more details
      --raw                  raw CLI output for instrumentation
      --ssl                  ssl enabled for portworx

The pxctl command-line tool allows you to generate the tokens in the following ways:

  • ECDSA
  • RSA
  • shared secret

For example, to generate a token with a shared secret, specify these flags:

  • --auth-config with the path to the file providing account information
  • --shared-secret with a string representing your shared secret.
  • --issuer with the name of the issuer.
  • --output with the name of the file

As an example, the following example generates a token:

echo "name: Example User
email: user@example.com
sub: user@example.com/username
roles: [\"system.user\"]
groups: [\"*\"]" > authconfig.yaml

pxctl auth token generate --auth-config=authconfig.yaml --issuer my_issuer \
    --shared-secret my_shared_secret \
    --output self-signed-token.txt
Token written to output file: self-signed-token.txt

Use the cat command to view the content of the self-signed-token.txt file:

cat self-signed-token.txt
arrow_back_ios Previous
Dump and Upload cluster-wide secrets
Next arrow_forward_ios
RBAC role management using pxctl
Last edited: Tuesday, May 16, 2023
Questions? Visit the Portworx forum.