Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Changing the default account credentials to ensure better security in the Multicloud Object Gateway

Change and rotate your Multicloud Object Gateway (MCG) account credentials using the command-line interface to prevent issues with applications, and to ensure better account security.

Prerequisites

  • A running OpenShift Data Foundation Platform.

  • Download the Multicloud Object Gateway (MCG) command-line interface for easier management: 

    # subscription-manager repos --enable=rh-odf-4-for-rhel-8-x86_64-rpms
    Copy to Clipboard Toggle word wrap 
    # yum install mcg
    Copy to Clipboard Toggle word wrap
    Important

    Specify the appropriate architecture for enabling the repositories using the subscription manager.

    • For IBM Power, use the following command: 

      # subscription-manager repos --enable=rh-odf-4-for-rhel-8-ppc64le-rpms
      Copy to Clipboard Toggle word wrap

    • For IBM Z infrastructure, use the following command: 

      # subscription-manager repos --enable=rh-odf-4-for-rhel-8-s390x-rpms
      Copy to Clipboard Toggle word wrap

  • Alternatively, you can install the MCG package from the OpenShift Data Foundation RPMs found at Download RedHat OpenShift Data Foundation page.

    Important

    Choose the correct Product Variant according to your architecture.

5.1. Resetting the noobaa account password
Copy link

Procedure

  • To reset the noobaa account password, run the following command: 

    $ noobaa account passwd <noobaa_account_name> [options]
    Copy to Clipboard Toggle word wrap 
    $ noobaa account passwd
FATA[0000] ❌ Missing expected arguments: <noobaa_account_name>

Options:
    --new-password='': New Password for authentication - the best practice is to omit this flag, in that
    case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in t
     he shell history
    --old-password='': Old Password for authentication - the best practice is to omit this flag, in that
    case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in
    the shell history
    --retype-new-password='': Retype new Password for authentication - the best practice is to omit this flag, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid
    leaking secrets in the shell history


Usage:
    noobaa account passwd <noobaa-account-name> [flags] [options]

Use "noobaa options" for a list of global command-line options (applies to all commands).
    Copy to Clipboard Toggle word wrap

    Example: 

    $ noobaa account passwd admin@noobaa.io
    Copy to Clipboard Toggle word wrap

    Example output: 

    Enter old-password: [got 24 characters]
Enter new-password: [got 7 characters]
Enter retype-new-password: [got 7 characters]
INFO[0017] ✅ Exists: Secret "noobaa-admin"
INFO[0017] ✅ Exists: NooBaa "noobaa"
INFO[0017] ✅ Exists: Service "noobaa-mgmt"
INFO[0017] ✅ Exists: Secret "noobaa-operator"
INFO[0017] ✅ Exists: Secret "noobaa-admin"
INFO[0017] ✈️  RPC: account.reset_password() Request: {Email:admin@noobaa.io VerificationPassword:* Password:*}
WARN[0017] RPC: GetConnection creating connection to wss://localhost:58460/rpc/ 0xc000402ae0
INFO[0017] RPC: Connecting websocket (0xc000402ae0) &{RPC:0xc000501a40 Address:wss://localhost:58460/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0
Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>}
INFO[0017] RPC: Connected websocket (0xc000402ae0) &{RPC:0xc000501a40 Address:wss://localhost:58460/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0
Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>}
INFO[0020] ✅ RPC: account.reset_password() Response OK: took 2907.1ms
INFO[0020] ✅ Updated:  "noobaa-admin"
INFO[0020] ✅ Successfully reset the password for the account "admin@noobaa.io"
    Copy to Clipboard Toggle word wrap
    Important

    To access the admin account credentials run the noobaa status command from the terminal: 

    --------------------
- Mgmt Credentials -
--------------------

email    : admin@noobaa.io
password : ***
    Copy to Clipboard Toggle word wrap

Procedure

  1. Get the account name.

    For listing the accounts, run the following command: 

    $ noobaa account list
    Copy to Clipboard Toggle word wrap

    Example output: 

    NAME           ALLOWED_BUCKETS   DEFAULT_RESOURCE               PHASE   AGE
account-test   [*]               noobaa-default-backing-store   Ready   14m17s
test2          [first.bucket]    noobaa-default-backing-store   Ready   3m12s
    Copy to Clipboard Toggle word wrap

    Alternatively, run the oc get noobaaaccount command from the terminal: 

    $ oc get noobaaaccount
    Copy to Clipboard Toggle word wrap

    Example output: 

    NAME           PHASE   AGE
account-test   Ready   15m
test2          Ready   3m59s
    Copy to Clipboard Toggle word wrap

  2. To regenerate the noobaa account S3 credentials, run the following command: 

    $ noobaa account regenerate <noobaa_account_name> [options]
    Copy to Clipboard Toggle word wrap 
    $ noobaa account regenerate
FATA[0000] ❌ Missing expected arguments: <noobaa-account-name>

Usage:
    noobaa account regenerate <noobaa-account-name> [flags] [options]

Use "noobaa options" for a list of global command-line options (applies to all commands).
    Copy to Clipboard Toggle word wrap

  3. Once you run the noobaa account regenerate command it will prompt a warning that says "This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials.", and ask for confirmation:

    Example: 

    $ noobaa account regenerate account-test
    Copy to Clipboard Toggle word wrap

    Example output: 

    INFO[0000] You are about to regenerate an account's security credentials.
INFO[0000] This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials.
INFO[0000] are you sure? y/n
    Copy to Clipboard Toggle word wrap

  4. On approving, it will regenerate the credentials and eventually print them: 

    INFO[0015] ✅ Exists: Secret "noobaa-account-account-test"
Connection info:
AWS_ACCESS_KEY_ID      : ***
AWS_SECRET_ACCESS_KEY  : ***
    Copy to Clipboard Toggle word wrap

5.3. Regenerating the S3 credentials for the OBC
Copy link

Procedure

  1. To get the OBC name, run the following command: 

    $ noobaa obc list
    Copy to Clipboard Toggle word wrap

    Example output: 

    NAMESPACE   NAME       BUCKET-NAME                                     STORAGE-CLASS       BUCKET-CLASS                  PHASE
default     obc-test   obc-test-35800e50-8978-461f-b7e0-7793080e26ba   default.noobaa.io   noobaa-default-bucket-class   Bound
    Copy to Clipboard Toggle word wrap

    Alternatively, run the oc get obc command from the terminal: 

    $ oc get obc
    Copy to Clipboard Toggle word wrap

    Example output: 

    NAME       STORAGE-CLASS       PHASE   AGE
obc-test   default.noobaa.io   Bound   38s
    Copy to Clipboard Toggle word wrap

  2. To regenerate the noobaa OBC S3 credentials, run the following command: 

    $ noobaa obc regenerate <bucket_claim_name> [options]
    Copy to Clipboard Toggle word wrap 
    $ noobaa obc regenerate
FATA[0000] ❌ Missing expected arguments: <bucket-claim-name>

Usage:
   noobaa obc regenerate <bucket-claim-name> [flags] [options]

Use "noobaa options" for a list of global command-line options (applies to all commands).
    Copy to Clipboard Toggle word wrap

  3. Once you run the noobaa obc regenerate command it will prompt a warning that says "This will invalidate all connections between the S3 clients and noobaa which are connected using the current credentials.", and ask for confirmation:

    Example: 

    $ noobaa obc regenerate obc-test
    Copy to Clipboard Toggle word wrap

    Example output: 

    INFO[0000] You are about to regenerate an OBC's security credentials.
INFO[0000] This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials.
INFO[0000] are you sure? y/n
    Copy to Clipboard Toggle word wrap

  4. On approving, it will regenerate the credentials and eventually print them: 

    INFO[0022] ✅ RPC: bucket.read_bucket() Response OK: took 95.4ms

ObjectBucketClaim info:
  Phase                  : Bound
  ObjectBucketClaim      : kubectl get -n default objectbucketclaim obc-test
  ConfigMap              : kubectl get -n default configmap obc-test
  Secret                 : kubectl get -n default secret obc-test
  ObjectBucket           : kubectl get objectbucket obc-default-obc-test
  StorageClass           : kubectl get storageclass default.noobaa.io
  BucketClass            : kubectl get -n default bucketclass noobaa-default-bucket-class

Connection info:
 BUCKET_HOST            : s3.default.svc
 BUCKET_NAME            : obc-test-35800e50-8978-461f-b7e0-7793080e26ba
    BUCKET_PORT            : 443
    AWS_ACCESS_KEY_ID      : ***
    AWS_SECRET_ACCESS_KEY  : ***

Shell commands:
  AWS S3 Alias           : alias s3='AWS_ACCESS_KEY_ID=***
AWS_SECRET_ACCESS_KEY=*** aws s3 --no-verify-ssl --endpoint-url ***'

Bucket status:
  Name                   : obc-test-35800e50-8978-461f-b7e0-7793080e26ba
  Type                   : REGULAR
  Mode                   : OPTIMAL
  ResiliencyStatus       : OPTIMAL
  QuotaStatus            : QUOTA_NOT_SET
  Num Objects            : 0
  Data Size              : 0.000 B
  Data Size Reduced      : 0.000 B
  Data Space Avail       : 13.261 GB
  Num Objects Avail      : 9007199254740991
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat