App credentials
List app credentials
You can view the list of existing app credentials by using the list command:
apoctl appcred list
Example Output:
name: alice id: 5bf46d187ddf1f62b3b79eac date: 2019-11-20T20:22:48Z roles: [@auth:role=namespace.administrator] name: bob id: 5c364e0d7ddf1f3cf70b3157 date: 2019-01-09T19:39:57.209Z roles: [@auth:role=namespace.viewer]
You can also use the flag --recursive to list the appcreds in the current namespace and all its children.
Create an app credential
App credentials can be formatted for different uses, such as:
- Aporeto (default)
- Kubernetes secret
- X.509 certificate
You can use the flag --type to select the type.
Aporeto type
This type is the default app credential format.
It can be used by
To create an app credential with the role namespace.administrator and write it into ./mycreds.json, run:
apoctl appcred create mycreds -n /my/ns \ --role @auth:role=namespace.administrator \ > ./mycreds.json
You can list the available roles by running:
apoctl api list roles -c key -c description
You can check the content of the file by running:
cat ./mycreds.json
Example output:
{ "ID": "5bc65d707ddf1f94d1bb96b6", "name": "myapp", "namespace": "/my/ns" "certificate": "<base64>", "certificateAuthority": "<base64>", "certificateKey": "<base64>" }
You can then use it to retrieve a Microsegmentation token by running:
apoctl auth appcred --path ./mycreds.json
Kubernetes secret type
This format wraps the app credential in the Microsegmentation format into a Kubernetes secret definition.
This secret can then be mounted by pods to access the Microsegmentation Console API.
To create an app credential with the role enforcer and apply it in your current Kubernetes cluster, run:
apoctl appcred create mycreds \ --role @auth:role=enforcer \ --type k8s \ | kubectl apply -f -
X.509 certificate type
This format extracts the certificates contained in the Microsegmentation format and writes them into a separate certificate and key in the PEM format.
To create an app credential with the role namespace.administrator on /my/ns and get an X.509 certificate, run:
apoctl appcred create mycreds \ -n /my/ns \ --role @auth:role=namespace.administrator \ --type cert
The certificate can be used to get a Microsegmentation token:
apoctl auth cert --cert myapp-cert.pem --key myapp-key.pem
Renew an app credential
Renewing an app credential will keep the old one valid for an additional period of twelve hours.
After that grace period, entities using it will see their API calls denied.
To renew your app credential, simply execute:
apoctl appcred renew mycreds -n /my/ns > ./mycreds.json
You can always set the type using the flag --type.
Disable an app credential
Entities using the disabled app credential will see their API calls denied immediately.
To disable an existing app credential, run:
apoctl appcred disable mycreds -n /my/ns
To re-enable a disabled app credential, run:
apoctl enable disable mycreds -n /my/ns
Change the roles of an app credential
Entities using the app credential will see their roles updated immediately.
To change the roles of an existing app credential, run:
apoctl appcred roles mycreds -n /my/ns \ --role compute.editor \ --role automation.viewer
Delete an app credential
Deleting an appcred will revoke the certificate immediately. Entities using the previous version will see their API calls denied.
To delete an existing app credential, run:
apoctl appcred delete mycreds -n /my/ns
Most Popular
