Skip to main content
Version: 3.1

Generate tokens

With Portworx, you can use the pxctl command-line tool to generate a token. Run the following command to access the built-in help and see the available flags:

pxctl auth token generate --help
Generate a self signed token based on a specified configuration yaml. The configuration defines your identity, roles, and groups to be used when generating a token.
e.g.
name: Jim Stevens
sub: user@example.com/user
email: user@example.com
roles: ["system.user"]
groups: ["px-engineering", "kubernetes-csi"]

Usage:
pxctl auth token generate [flags]

Examples:
pxctl auth token generate --auth-config=<authconfig.yaml> --issuer <issuer> --ecdsa-private-keyfile <ecdsa key file> OR --rsa-private-keyfile <rsa key file> OR --shared-secret <secret>

Flags:
--auth-config string (Required) Auth account information file providing email, name, etc.
--ecdsa-private-keyfile string ECDSA Private file to sign token
-h, --help help for generate
--issuer string (Required) Issuer name of token. Do not use https:// in the issuer since it could indicate that this is an OpenID Connect issuer.
--output string Output token to file instead of standard out
--rsa-private-keyfile string RSA Private file to sign token
--shared-secret string Shared secret to sign token
--token-duration string Duration of time where the token will be valid. Postfix the duration by using s for seconds, m for minutes, h for hours, d for days, and y for years. (default "1d")

Global Flags:
--ca string path to root certificate for ssl usage
--cert string path to client certificate for ssl usage
--color output with color coding
--config string config file (default is $HOME/.pxctl.yaml)
--context string context name that overrides the current auth context
-j, --json output in json
--key string path to client key for ssl usage
--output-type string use "wide" to show more details
--raw raw CLI output for instrumentation
--ssl ssl enabled for portworx

The pxctl command-line tool allows you to generate the tokens in the following ways:

  • ECDSA
  • RSA
  • shared secret

For example, to generate a token with a shared secret, specify these flags:

  • --auth-config with the path to the file providing account information
  • --shared-secret with a string representing your shared secret.
  • --issuer with the name of the issuer.
  • --output with the name of the file

As an example, the following example generates a token:

echo "name: Example User
email: user@example.com
sub: user@example.com/username
roles: [\"system.user\"]
groups: [\"*\"]" > authconfig.yaml

pxctl auth token generate --auth-config=authconfig.yaml --issuer my_issuer \
--shared-secret my_shared_secret \
--output self-signed-token.txt
Token written to output file: self-signed-token.txt

Use the cat command to view the content of the self-signed-token.txt file:

cat self-signed-token.txt
Was this page helpful?