Step 3: Generate tokens

Now that the system is up and running you can create tokens.

If you want to create your own application to generate tokens, you can base it on the libopenstorage open source golang example application openstorage-sdk-auth.

SSH to one of your nodes and follow the steps below to use pxctl to generate tokens:

Create user files

pxctl uses YAML configuration files to create tokens. You will be creating two files, one for the storage admin token used for pxctl to communicate with Portworx (like root in Linux), and the second for Kubernetes to provision and manage volumes.

  1. Create a file called admin.yaml with the the following:

    name: Storage Administrator
    email: the email of the storage admin
    sub: ${uuid} or email of the storage admin
    roles: ["system.admin"]
    groups: ["*"]
  2. Create a file called kubernetes.yaml with the the following:

    name: Kubernetes
    email: the email of the kubernetes admin
    sub: ${uuid} or email of the kubernetes admin
    roles: ["system.user"]
    groups: ["kubernetes"]

    The sub is the unique identifier for this user and must not be shared amongst other tokens according to the JWT standard. This is the value used by Portworx to track ownership of resources. If email is also used as the sub unique identifier, please make sure it is not used by any other tokens.

    For more information on the rules of each of the values, visit the openstorage-sdk-auth repo.

Generate tokens

Now you can create a token. Notice in the example below that they have set the issuer to match the setting in the Portworx manifest to as set the value for -jwt-issuer. The example also sets the duration of the token to one year. You may want to adjust it to a much shorter duration if you plan on refreshing the token often.

You will also need to have the shared secret created above. In the example below, the secret is saved in the environment variable $PORTWORX_AUTH_SHARED_SECRET.

  1. Get the shared secret:

    PORTWORX_AUTH_SHARED_SECRET=$(kubectl -n kube-system get secret pxkeys -o json \
        | jq -r '.data."shared-secret"' \
        | base64 -d)
  2. Create a token for the storage administrator using admin.yaml:

    ADMIN_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \
        --auth-config=admin.yaml \ \
        --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \
  3. Create a token for the Kubernetes using kubernetes.yaml:

    KUBE_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \
        --auth-config=kube.yaml \ \
        --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \
  4. Save the storage admin token in the pxctl context:

    /opt/pwx/bin/pxctl context create admin --token=$ADMIN_TOKEN
  5. Save the Kubernetes token in a secret called portworx/px-user-token:

    kubectl -n portworx create secret \
      generic px-user-token --from-literal=auth-token=$KUBE_TOKEN
  6. Annotate the Kubernetes secret so that other components like Stork and PX-Backup do not backup this resource.

    kubectl -n portworx annotate secret px-user-token \

You can now set up Kubernetes storage classes to use this secret to get access to the token to communicate with Portworx.

Once you have completed the steps in this section, continue to the Storage class setup section.

Last edited: Monday, May 16, 2022