Skip to main content
Version: 3.1

Step 3: Generate tokens

Now that the system is up and running you can create tokens.


If you want to create your own application to generate tokens, you can base it on the libopenstorage open source golang example application openstorage-sdk-auth.

SSH to one of your nodes and follow the steps below to use pxctl to generate tokens:

Create user files

pxctl uses YAML configuration files to create tokens. Create two files, one for the storage admin token used for pxctl to communicate with Portworx (like root in Linux), and the second for Kubernetes to provision and manage volumes.

  1. Create a file called admin.yaml with the following:

    name: Storage Administrator
    email: the email of the storage admin
    sub: ${uuid} or email of the storage admin
    roles: ["system.admin"]
    groups: ["*"]
  2. Create a file called kubernetes.yaml with the following:

    name: Kubernetes
    email: the email of the kubernetes admin
    sub: ${uuid} or email of the kubernetes admin
    roles: ["system.user"]
    groups: ["kubernetes"]

    The sub is the unique identifier for this user and must not be shared amongst other tokens according to the JWT standard. This is the value used by Portworx to track ownership of resources. If email is also used as the sub unique identifier, ensure it is not used by any other tokens.

    For more information on the rules of each of the values, visit the openstorage-sdk-auth repo.

Generate tokens

You can create a token. In the following example, the issuer is set to match the setting in the Portworx manifest to as set the value for -jwt-issuer. The example also sets the duration of the token to one day, which can be set manually with an API request.

You will also need to have the shared secret created above. In the example below, the secret is saved in the environment variable $PORTWORX_AUTH_SHARED_SECRET.

  1. Get the shared secret:

    PORTWORX_AUTH_SHARED_SECRET=$(kubectl -n kube-system get secret pxkeys -o json \
    | jq -r '.data."shared-secret"' \
    | base64 -d)
  2. Create a token for the storage administrator using admin.yaml:

    ADMIN_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \
    --auth-config=admin.yaml \ \
    --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \
  3. Create a token for the Kubernetes using kubernetes.yaml:

    KUBE_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \
    --auth-config=kube.yaml \ \
    --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \
  4. Save the storage admin token in the pxctl context:

    /opt/pwx/bin/pxctl context create admin --token=$ADMIN_TOKEN
  5. Save the Kubernetes token in a secret called portworx/px-user-token:

    kubectl -n kube-system create secret \
    generic px-user-token --from-literal=auth-token=$KUBE_TOKEN
  6. Annotate the Kubernetes secret so that other components like Stork and PX-Backup do not backup this resource.

    kubectl -n kube-system annotate secret px-user-token \

You can set up Kubernetes storage classes to use this secret to get access to the token to communicate with Portworx.

After you have completed the steps in this section, continue to the Storage class setup section.

Was this page helpful?