Service tokens
StackState Self-hosted v5.0.x
This page describes StackState version 5.0.
Overview
Using Service tokens it is possible to authenticate to StackState without having configured a user account. This is useful for situations where you want to use StackState from headless services like a CI server. In such a scenario you typically do not want to provision a user account in your identity provider.
Manage service tokens
Service tokens can be managed via the new sts
CLI. The following commands are available:
It is also possible to set up a bootstrap service token when installing StackState.
Create service tokens
To create a service token for an installed instance of StackState, you can use the new sts
CLI.
⚠️ PLEASE NOTE - from StackState v5.0, the old sts
CLI has been renamed to stac
and there is a new sts
CLI. The command(s) provided here are for use with the new sts
CLI.
Note that the service token will only be displayed once. It is not possible to see the token again.
This command takes the following command line arguments:
For example, the command below will create a service token with the name my-service-token
and the role stackstate-power-user
:
⚠️ PLEASE NOTE - from StackState v5.0, the old sts
CLI has been renamed to stac
and there is a new sts
CLI. The command(s) provided here are for use with the new sts
CLI.
Set up a bootstrap service token
When installing StackState, it is possible to bootstrap it with a (temporary) service token. This allows for using the CLI without first interacting with StackState and obtaining an API token from the UI. In order to set this up, you can add the following snippet to the StackState configuration file:
To configure StackState to create a bootstrap service token on Kubernetes, The following values need to be added to the file authentication.yaml
. For example
Follow the steps below to configure StackState to create a bootstrap service token:
In
authentication.yaml
- add the bootstrap token:token - The token that will be created on (initial) start of StackState.
roles - An array of roles that will be assigned to the bootstrap token.
ttl - Optional. The time-to-live for the service token, expressed as a duration string.
Store the file
authentication.yaml
together with thevalues.yaml
from the StackState installation instructions.Run a Helm upgrade to apply the changes.
Note:
The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.
Include
authentication.yaml
on everyhelm upgrade
run.The authentication configuration is stored as a Kubernetes secret.
List service tokens
The ID, name, expiration date and roles of all created service tokens can be seen using the new sts
CLI. For example:
⚠️ PLEASE NOTE - from StackState v5.0, the old sts
CLI has been renamed to stac
and there is a new sts
CLI. The command(s) provided here are for use with the new sts
CLI.
Delete service tokens
A service token can be deleted using the new sts
CLI. Pass the ID of the service token as an argument. For example:
⚠️ PLEASE NOTE - from StackState v5.0, the old sts
CLI has been renamed to stac
and there is a new sts
CLI. The command(s) provided here are for use with the new sts
CLI.
Use service tokens
Once created, a service token can be used to authenticate to StackState from a headless service. To do this you can either use the CLI or directly talk to the API.
StackState sts
CLI
sts
CLIA service token can be used for authentication with the new sts
CLI. It is not possible to authenticate with service tokens using the stac
CLI. For details, see the CLI documentation:
New
sts
CLI: Authentication
StackState APIs
To use a service token to talk directly to the StackState Base API or the StackState Admin API, add it to the header of the request in one of the following ways:
In the
Authorization
header:In the
X-API-Key
header:
Last updated