Skip to content

How to query Rancher API tokens information via kubectl

This document (000021736) is provided subject to the disclaimer at the end of this document.

Environment

  • A Rancher v2.x instance
  • A Rancher admin kubeconfig sourced

Situation

This article provides detailed information about how to query Rancher API tokens using the kubectl command line.

Resolution

The API tokens' information can be retrieved via the tokens.management.cattle.io custom resources in the Rancher local cluster.

Warning: the "isDerived: false" tokens are temporary UI session tokens and are not intended to be manually operated or modified. Please only use derived tokens.

For example, if you want to view all the fields that can be accessed in the API tokens via kubectl, you can obtain a detailed list by using the following command:

``

kubectl get tokens.management.cattle.io -o jsonpath='{.items[]}' | jq keys

The expected fields are: apiVersion, authProvider, current, description, expired, expiresAt, isDerived, kind, lastUsedAt, metadata, token, ttl, userId, userPrincipal.

By consulting or modifying these values, we can get or edit information from the API tokens using the kubectl command line. For example, a possible kubectl command to check the API tokens in our cluster with their description and expiration information could be:

``

kubectl get tokens.management.cattle.io -o custom-columns=Name:'{.metadata.name},Description:{.description},isDerived:{.isDerived},TTL:{.ttl},expired:{.expired},expiresAt:{.expiresAt}'

Cause

The possibility of viewing and modifying API tokens via kubectl offers the opportunity to automate periodic operations or checks in your cluster.

For example, as a good security practice, it may be interesting to track and remove certain ttl=0 tokens if they are not used. API tokens with ttl=0 never expire unless you invalidate them.

Additional Information

Rancher API Token Documentation

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.