Skip to main content
Version: 3.1

Step 2: Generate multitenant tokens

Now that the system is up and running, you can create tokens.


If you want to create your own application to generate tokens, you can base it on our open source golang example application openstorage-sdk-auth

SSH to one of your nodes and follow the steps below to use pxctl to generate tokens:

Fetching the shared secret

Fetch the shared secret, which is stored in a Kubernetes secret. Below, the secret is saved in the environment variable $PORTWORX_AUTH_SHARED_SECRET.

  1. Get the shared secret:

    PORTWORX_AUTH_SHARED_SECRET=$(kubectl -n kube-system get \
    secret px-shared-secret -o json \
    | jq -r '.data."shared-secret"' \
    | base64 -d)

Generate a storage admin token

pxctl uses yaml configuration files to create tokens.

  1. Create a file called admin.yaml with the the following:

    name: Storage Administrator
    email: the email of the storage admin
    sub: ${uuid} or email of the storage admin
    roles: ["system.admin"]
    groups: ["*"]
  2. Create a token for the storage administrator using admin.yaml. In the example below:

    • The issuer matches the setting in the Portworx manifest of as the set value for -jwt-issuer.

    • The example sets the duration of the token to one year -- You may want to adjust it to a much shorter duration if you plan on refreshing the token often.

      ADMIN_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \
      --auth-config=admin.yaml \ \
      --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \
  3. Save the storage admin token in the pxctl context:

    /opt/pwx/bin/pxctl context create admin --token=$ADMIN_TOKEN

Generate tenant tokens

This model is based on isolating tenant accounts by namespaces. You will need to create an account for the tenant in Kubernetes and restrict it to one or more namespaces. You will then store the tenant's token in each namespace they own.

The following steps provide instructions for creating and storing the token in a namespace for the tenant:

  1. Create a file called tenant-name.yaml with the following:

    name: <Tenant name>
    email: <Tenant email>
    sub: ${uuid} or email of the tenant
    roles: ["system.user"]
    groups: ["<groups the tenant participate if any"]

The sub is the unique identifier for this user and most not be shared amongst other tokens according to the JWT standard. This is the value used by Portworx to track ownership of resources. If email is also used as the sub unique identifier, please make sure it is not used by any other tokens. You can find more information on the rules of each of the value on the openstorage-sdk-auth repo.

  1. Create a token for the Kubernetes using tenant-name.yaml:

    TENANT_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \
    --auth-config=tenant-name.yaml \ \
    --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \

  1. Save the tenant Kubernetes token in a secret called <tenant namespace>/px-user-token:

    kubectl -n <tenant namespace> create secret \
    generic px-user-token --from-literal=auth-token=$TENANT_TOKEN
  2. Annotate the Kubernetes secret so that other components like Stork and PX-Backup do not backup this resource.

    kubectl -n <tenant namespace> annotate secret px-user-token \

Kubernetes storage classes can now be set up to use this secret to get access to the token to communicate with Portworx.

Once you have completed the steps in this section, continue to the next section.

Was this page helpful?