Managing tokens

Use the DevOps API to generate or revoke an application token for specific roles.

You can use the DevOps API to perform the actions which are available to you through your role permissions.

The following roles can use the application token to use the DevOps api-reference:

  • Organization Administrator

  • Database Administrator

Prerequisites

  1. Create an application token to authenticate your service account in the DevOps API.

  2. Once you have authenticated your service account, you can create and revoke tokens the DevOps API.

Alternative token management option

As an alternative to the DevOps API, consider using the Astra DB Plugin for HashiCorp Vault, for dynamic token management via vault commands. See the plugin’s documentation on our GitHub site.

Specifically, you can:

  • Define a default lease time

  • Create new tokens with lease settings

  • List tokens by each one’s Client ID

  • View lease details

  • List all leases

  • Renew a lease

  • Revoke a token/lease before the lease expires

  • Delete a token

Generating a token for client

  1. Get all clients within the organization:

    • cURL command (/v2)

    • Result

    curl --request GET \
     --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer <application_token>'
    {"clients":[
    	{"clientId":"DkFtHKMhDQDuQtlExkSzwbya",
    		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
    		"generatedOn":"2021-02-22T17:09:58.668Z"},
    	{"clientId":"eYSboCJaESiblJZnKZWMxROv",
    		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
    		"generatedOn":"2021-04-28T18:49:11.323Z"}
    ]}
  2. Create an application token for a specific client:

    • cURL command (/v2)

    • Result

    curl --request POST \
     --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer <application_token>' \
     --data '{"roles": ["<roleId>"]}'
    {
      "clientId":"zjCEYwRGWocLfQJHBNQxvorr",
      "secret":"SLR.cllL1YzfJDnl+YhUv5DMKlx8HaeMFTKjIJ4I6YdKB7w-K7U_+j-a9daWbbcp0uugXW,hb.3J2S0PPqDNhT6+oUiPYYaI+,xuwm2O97.ZpHcYvCsnlrTyl8w1pH-0",
      "orgId":"dccb8c32-cc2a-4bea-bd95-47ab8eb20510",
      "roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
      "token":"AstraCS:zjCEYwRGWocLfQJHBNQxvorr:8709074baaf63e746cc5de52891e3a5ca88c73ae1fb7336652e9b59b9e69eff2",
      "generatedOn":"2021-04-30T19:38:26.147847107Z"
    }

For the roleId, provide the relevant role’s id UUID value from a prior GET query, as shown in Getting existing roles in your organization. The API results will show the UUID for each role id.

Also refer to Generate token for client in the DevOps API.

Removing a token

When you remove a token, all users and roles assigned to that role will no longer have access.

  1. Get a list of the available client IDs and secrets for your organization:

    • cURL command (/v2)

    • Result

    curl --request GET \
     --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer <application_token>'
    {"clients":[
    	{"clientId":"DkFtHKMhDQDuQtlExkSzwbya",
    		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
    		"generatedOn":"2021-02-22T17:09:58.668Z"},
    	{"clientId":"eYSboCJaESiblJZnKZWMxROv",
    		"roles":["21ef3576-0197-415a-b167-d510af12ecf0"],
    		"generatedOn":"2021-04-28T18:49:11.323Z"}
    ]}
  2. Remove a token for a specific client ID:

    curl --request DELETE \
     --url 'https://api.astra.datastax.com/v2/clientIdSecrets/<clientID>' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer <application_token>'
  3. Get a list of the available client IDs and secrets for your organization to confirm it was removed:

    curl --request GET \
     --url 'https://api.astra.datastax.com/v2/clientIdSecrets' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer <application_token>'

For more, see Revoke a token in the DevOps API.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com