红帽全球峰会此内容没有您所选择的语言版本。
Chapter 17. Configuring API tokens
Red Hat Advanced Cluster Security for Kubernetes (RHACS) requires API tokens for some system integrations, authentication processes, and system functions. You can configure tokens using the RHACS web interface.
-
To prevent privilege escalation, when you create a new token, your role’s permissions limit the permission you can assign to that token. For example, if you only have
readpermission for the Integration resource, you cannot create a token withwritepermission. - If you want a custom role to create tokens for other users to use, you must assign the required permissions to that custom role.
-
Use short-lived tokens for machine-to-machine communication, such as CI/CD pipelines, scripts, and other automation. Also, use the
roxctl central logincommand for human-to-machine communication, such asroxctlCLI or API access. - The majority of cloud service providers support OIDC identity tokens, for example, Microsoft Entra ID, Google Cloud Identity Platform, and AWS Cognito. OIDC identity tokens issued by these services can be used for RHACS short-lived access.
- Third-party OIDC identity tokens can also be used directly to access the API endpoint, without an exchange, if a machine-to-machine configuration exists for the token issuer.
17.1. Creating an API token
Procedure
-
In the RHACS portal, go to Platform Configuration
Integrations. - Scroll to the Authentication Tokens category, and then click API Token.
- Click Generate Token.
- Enter a name for the token and select a role that provides the required level of access (for example, Continuous Integration or Sensor Creator).
Click Generate.
ImportantCopy the generated token and securely store it. You will not be able to view it again.
17.2. About API token expiration
API tokens expire one year from the creation date. RHACS alerts you in the web interface and by sending log messages to Central when a token will expire in less than one week. The log message process runs once an hour. Once a day, the process lists the tokens that are expiring and creates a log message for each one. Log messages are issued once a day and appear in Central logs.
Logs have the format as shown in the following example:
Warn: API Token [token name] (ID [token ID]) will expire in less than X days.
Warn: API Token [token name] (ID [token ID]) will expire in less than X days.You can change the default settings for the log message process by configuring the environment variables shown in the following table:
| Environment variable | Default value | Description |
| ROX_TOKEN_EXPIRATION_NOTIFIER_INTERVAL | 1h (1 hour) | The frequency at which the log message background loop that lists tokens and creates the logs will run. |
| ROX_TOKEN_EXPIRATION_NOTIFIER_BACKOFF_INTERVAL | 24h (1 day) | The frequency at which the loop lists tokens and issues notifications. |
| ROX_TOKEN_EXPIRATION_DETECTION_WINDOW | 168h (1 week) | The time period before expiration of the token that will cause the notification to be generated. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}