Keptn v1 reached EOL December 22, 2023. For more information see https://bit.ly/keptn
This documentation is for an older Keptn release. Please consider the newest one when working with the latest Keptn.

API Token

In this section, the management of the API token of a Keptn installation is explained.

Retrieve API Token

  • To retrieve the API token of a running Keptn installation, execute:

    kubectl get secret keptn-api-token -n keptn -ojsonpath='{.data.keptn-api-token}'
    
  • To decode the retrieved API token, use means provided by the operating system:

    kubectl get secret keptn-api-token -n keptn -ojsonpath='{.data.keptn-api-token}' | base64 --decode
    

    Please expand the corresponding section matching your CLI tool.

    For the Windows PowerShell, a small script is provided that installs the PSYaml module and sets the environment variables. Please note that the PowerShell might have to be started with Run as Administrator privileges to install the module.

    • Copy the following snippet and paste it in the PowerShell. The snippet will be automatically executed line by line.

      $tokenEncoded = $(kubectl get secret keptn-api-token -n keptn -ojsonpath='{.data.keptn-api-token}')
      [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenEncoded))
      

    In the Windows Command Line, a couple of steps are necessary.

    1. Get the Keptn API Token encoded in base64:

      kubectl get secret keptn-api-token -n keptn -ojsonpath={.data.keptn-api-token}
      
      abcdefghijkladfaea
      
    2. Take the encoded API token; it is the value from the key keptn-api-token (in this example, it is abcdefghijkladfaea) and save it in a text file, e.g.: keptn-api-token-base64.txt

    3. Decode the file using certutil:

      certutil -decode keptn-api-token-base64.txt keptn-api-token.txt
      
    4. Open the newly created file keptn-api-token.txt, in which you find the API token.

Create API Token

  • To create an API token, use means provided by the operating system:

    • To generate a base64 encoded token use the following command and store it into the environment variable KEPTN_API_TOKEN:

      KEPTN_API_TOKEN=$(head -c 16 /dev/urandom | base64)
      
    • To create an API token, execute:

      kubectl create secret generic -n keptn keptn-api-token --from-literal=keptn-api-token="$KEPTN_API_TOKEN"
      

    Please expand the corresponding section matching your CLI tool.

    • To generate a base64 encoded token use the following command and store it into the environment variable $Env:KEPTN_API_TOKEN:

      [Reflection.Assembly]::LoadWithPartialName("System.Web")
      $token_bytes = [System.Text.Encoding]::Unicode.GetBytes([System.Web.Security.Membership]::GeneratePassword(16,2))
      $Env:KEPTN_API_TOKEN = [Convert]::ToBase64String($token_bytes)
      
    • To create an API token, execute:

      kubectl create secret generic -n keptn keptn-api-token --from-literal=keptn-api-token="$Env:KEPTN_API_TOKEN"
      

    In the Windows Command Line, a couple of steps are necessary.

    1. Generate a random token with at least 16 characters and save it in a text file: keptn-api-token.txt

    2. Encode the file using certutil:

      certutil -encode keptn-api-token.txt keptn-api-token-base64.txt
      
    3. Open the newly created file keptn-api-token-base64.txt, in which you find the base64 encoded API token. Then set the environment variable KEPTN_API_TOKEN:

      set KEPTN_API_TOKEN=
      
    4. To create an API token, execute:

      kubectl create secret generic -n keptn keptn-api-token --from-literal=keptn-api-token="%KEPTN_API_TOKEN%"
      

Reset API Token

  • To reset an API token of a Keptn installation, first delete the secret:

    kubectl delete secret -n keptn keptn-api-token
    
  • Create API token as explained above.

  • Re-start API service since it requires the new token:

    kubectl delete pods -n keptn --selector=app.kubernetes.io/name=api-service
    
  • Re-authenticate Keptn CLI as explained here.

  • Don’t forget to replace the API token at tools that interact with the Keptn API, e.g., Problem Notification setting in Dynatrace or WebHook in Prometheus.