Credentials
Objective
This guide provides instructions on how to generate various credentials related to F5® Distributed Cloud Services from the platform.
F5® Distributed Cloud Console provides two types of credentials:
-
My Credentials
: Are generated and used for different authentication and authorization purposes while accessing F5® Distributed Cloud Services APIs or deploying apps using F5® Distributed Cloud Services vK8s. -
Service Credentials
: Are generated by administrators to create custom service roles that are associated with service users.
Note: The
My Credentials
inherit the roles of the users. In case of service credentials, you can assign specific roles to the service user.
Using the instructions provided in this guide, you can create various types of credentials and download them for using in API requests.
Prerequisites
The following prerequisites apply:
- A valid F5 Distributed Cloud Console Account is required.
- Note: If you do not have an account, visit Create an Account.
- A single-node or multi-node F5® Distributed Cloud Services site in case of application deployment.
- Note: If you do not have a site, visit Site Management.
My Credentials
My Credentials
options can be generated and downloaded from the Console:
-
API Tokens: The tokens are used in site deployment, and also for the authorization in the API requests.
-
API Certificates: These certificates are used in API requests.
Note: All certificates follow x.509 standard.
- vK8s KubeConfig: These are the vK8s KubeConfigs for deploying your applications using F5® Distributed Cloud Services vK8s.
Note: You can use either API certificate or API token for authenticating. It is recommended to use API certificates as they offer more robust security via Mutual TLS (mTLS) authentication. The API tokens are used with one-way TLS authentication.
Generate API Certificate
Features can be viewed, and managed in multiple services.
This example shows Credentials
setup in Administration
.
Step 1: Open F5® Distributed Cloud Console > select Create Credentials.
- Open
F5® Distributed Cloud Console
homepage, selectAdministration
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Services
drop-down menu to discover all options. Customize Settings:Administration
>Personal Management
>My Account
>Edit work domain & skills
button >Advanced
box > checkWork Domain
boxes >Save changes
button.
Figure: Homepage
Note: Confirm
Namespace
feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.
-
Select
Personal Management
in left column menu > selectCredentials
. -
Select
+ Add Credentials
button.
Note: If options are not showing available, select
Show
link inAdvanced nav options visible
in bottom left corner. If needed, selectHide
to minimize options from Advanced nav options mode.
Figure: Create Credentials
Step 2: Setup Credential.
-
Enter
Name
for your certificate. -
Select
API Certificate
inCredential type
. -
Enter
Password
>Confirm Password
. -
Select
Expiry date
in calendar drop-down.
Figure: Add Credentials
Step 3: Generate and download certificate.
- Select
Download
to generate certificate in.p12
file format.
Figure: Create API Certificate
Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.
Credential
will appear inCredentials
page if created.
Note: Reference date confirms correct Credential.
After generating, you can use the certificate in API request.
Sample API request to delete a namespace:
curl -k -X POST --cert-type P12 --cert ~/Downloads/<api-creds>.p12:<password> https://tenant>.console.ves.volterra.io/api/web/namespaces/<namespace>/cascade_delete -v
Note: It is recommended to specify the full path to certificate.
Generate Kubeconfig
Step 1: Open F5® Distributed Cloud Console > select Create Credentials.
- Open
F5® Distributed Cloud Console
homepage, selectAdministration
box.
Figure: Homepage
- Select
Personal Management
in left column menu > selectCredentials
>+ Add Credentials
.
Figure: Create Credentials
Step 2: Setup Credential type.
-
Enter
Name
for your certificate. -
Select
vK8s KubeConfig
inCredential type
drop-down menu. -
Select
Site
in drop-down menu. -
Select
Namespace
option in drop-down menu. -
Select
vK8s cluster name
option in drop-down menu. -
Select
Expiry date
from calendar drop-down.
Figure: Create vK8s KubeConfig
Step 3: Generate and download vK8s KubeConfig Certificate.
- Select
Download
button to generate and download vK8s KubeConfig certificate file.
Figure: Generate and download vK8s KubeConfig Certificate
Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.
- Use in deployments after generating.
The following is a sample kubectl request to view the configuration:
kubectl config --kubeconfig=<kubeconfig-file> view
Generate API Tokens
Step 1: Create Credentials in F5® Distributed Cloud Console.
- Open
F5® Distributed Cloud Console
homepage, selectAdministration
box.
Figure: Homepage
- Select
Personal Management
in left column menu > selectCredentials
>+ Add Credentials
.
Figure: Create Credentials
Step 2: Setup Credential type.
-
Enter
Name
. -
Select
API Token
inCredential type
drop-down menu. -
Select
Expiry date
from calendar drop-down.
Step 3: Create API Token.
- Select
Generate
button.
Figure: Add Credentials
Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.
Step 4: Obtain API Token.
-
Select
Copy
button to copy API token. -
Select
Done
button to exit pop-up window.
Figure: Add Credentials
After generating, you can use it in API request with the authorization header.
The following is a sample API request:
curl -k -X GET https://<tenant>.console.ves.volterra.io/api/web/namespaces -H 'Authorization: APIToken <token value>'
Note: All API access with the token will have the same RBAC assigned to the user who created the token.
Revoke API Credentials
You can force an API credentials object to be expired before it's configured or before the default expiry time.
Revoke API credentials instructions:
Step 1: Open Credentials in F5® Distributed Cloud Console.
- Open
F5® Distributed Cloud Console
homepage, selectAdministration
box.
Figure: Homepage
- Select
Personal Management
in left column menu > selectCredentials
.
Figure: Credentials
Step 2: Perform revoke operation for an existing credential object.
-
API Token
: Select...
inActions
column, selectForce Expiry
to revokeAPI Token
. -
API Certificate
: Select...
inActions
column, selectDelete
to revokeAPI Certificate
.
Note: All certificates follow x.509 standard.
vK8s KubeConfig Credential
: Select...
inActions
column, selectDelete
to revokevK8s KubeConfig Credential
.
Figure: API Token Force Expiry Option
Step 3: Complete revoke operation.
- In case of
API Token
, selectForce Expiry
in the confirmation window to cause API credential object expiry.
Figure: API Token Force Expiry Confirmation
Note: You can renew or delete an expired credential. Select
...
>Renew
against expired credential from the list of credentials to renew it. Set an expiry date, and selectRenew Credential
in the confirmation box. Select...
>Delete
against expired credential from the list of credentials to delete it. SelectDelete
in the confirmation box.
- In case of API certificates or vK8s KubeConfigs, select
Delete
in the confirmation window. This forces the expiry for the object and also deletes it from the F5 system.
Service Credentials
Service credentials can be created by administrator users, and these credentials have roles assigned to provide API access to F5XC services. While creating service credentials, roles can be specified and these roles are assigned to the created user called as ServiceUser
.
Generate API Certificate
Step 1: Open F5® Distributed Cloud Console > select Service Credentials.
-
Open
F5® Distributed Cloud Console
homepage, selectAdministration
box. -
Select
IAM
in left-menus > selectService Credentials
> select+ Add Service Credentials
.
- Select
+ Create service credentials
button.
Figure: Open Service Credentials
Step 2: Setup Credential type.
-
Enter
Name
inCredential Email
box to generate unique email name,name@volterracredentials.io
. -
Select
API Certificate
inCredential type
drop-down menu. -
Enter
Password
>Confirm Password
. -
Select
Expiry date
from calendar drop-down. -
Optionally: Select
Assign roles and namespaces
to open pop-up window.-
Select
Namespace
drop-down option.-
all application namespaces
-
shared
-
system
-
default
-
your custom namespace
, Example:aatw
-
-
Select
Make Admin
checkbox to grant the admin role. -
Select
Role
boxes to select a role from the displayed options.
Note: You can add more roles using the
+ Add another role
.- Select
Add roles
button.
-
Figure: Open Service Credentials
Step 3: Generate and download certificate.
Select Download
button to download the certificate in .p12
file format.
Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.
Generate Kubeconfig
Step 1: Start creating credentials in F5® Distributed Cloud Console.
- Open
F5® Distributed Cloud Console
homepage, selectAdministration
box.
Figure: Homepage
- Select
IAM
, selectService Credentials
> select+ Add Service Credentials
.
Figure: Credentials
Step 2: Setup Credential type.
-
Enter
Name
inCredential Email
box to generate unique email name,name@volterracredentials.io
. -
Select
vK8s KubeConfig
inCredential type
drop-down menu. -
Select
Site
in drop-down menu.
-
Select
Expiry date
from calendar drop-down. -
Optionally: Select
Assign roles and namespaces
to open pop-up window.-
Select
Namepace
drop-down option.-
all application namespaces
-
shared
-
system
-
default
-
your custom namespace
, Example:aatw
-
-
Select
Make Admin
checkbox to grant the admin role. -
Select
Role
boxes to select a role from the displayed options.
Note: You can add more roles using the
+ Add another role
.- Select
Add roles
button.
-
Step 3: Create and download vK8s KubeConfig.
Select Download
button.
Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.
Generate API Token
Step 1: Start credential creation in F5® Distributed Cloud Console.
- Open
F5® Distributed Cloud Console
homepage, selectAdministration
box.
Figure: Homepage
- Select
IAM
, selectService Credentials
> select+ Add Service Credentials
.
Figure: Credentials
Step 2: Setup Credential type.
-
Enter
Name
inCredential Email
box to generate unique email name,name@volterracredentials.io
. -
Select
API Token
inCredential type
drop-down menu. -
Select
Expiry date
from calendar drop-down. -
Optionally: Select
Assign roles and namespaces
to open pop-up window.-
Select
Namespace
drop-down option.-
all application namespaces
-
shared
-
system
-
default
-
your custom namespace
, Example:aatw
-
-
Select
Make Admin
checkbox to grant the admin role. -
Select
Role
boxes to select a role from the displayed options.
Note: You can add more roles using the
+ Assign Roles and Namespaces
.- Select
Assign roles
button.
-
Figure: Create Service API Token
Step 3: Generate and copy Credentials.
- Select
Generate
button to generate the service API token.
Figure: Create Service API Token
- Select
Copy
button to copy token.
Note: Ensure that you save the copied token for later use.
- Select
Done
button.
Figure: Copy Service API Token
Revoke Service Credentials
You can force credentials to be expired before the configured expiry time.
Step 1: Open Service Credentials in F5® Distributed Cloud Console.
- Open
F5® Distributed Cloud Console
homepage, selectAdministration
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Visit [Homepage Customization] to adjust your homepage.
Figure: Homepage
- Select
IAM
> selectService Credentials
> select+ Add Service Credentials
.
Figure: Credentials
Step 2: Perform revoke operation for an existing service credential object.
-
API Token
: Select...
inActions
column, selectForce Expiry
to revokeAPI Token
. -
API Certificate
: Select...
inActions
column, selectDelete
to revokeAPI Certificate
. -
vK8s KubeConfig Credential
: Select...
inActions
column, selectDelete
to revokevK8s KubeConfig Credential
.
Figure: API Token Force Expiry Option
Step 3: Complete revoke operation.
- In case of
API Token
, selectForce Expiry
in the confirmation window to cause API credential object expiry.
Figure: API Token Force Expiry Confirmation
Note: You can renew or delete an expired credential. Select
...
>Renew
against expired credential from the list of credentials to renew it. Set an expiry date and selectRenew Credential
in the confirmation box. Select...
>Delete
against expired credential from the list of credentials to delete it. SelectDelete
in the confirmation box.
- In case of API certificates or vK8s KubeConfigs, select
Delete
in the confirmation window. This forces the expiry for the object and also deletes it from the F5® Distributed Cloud Console.