By default, some cluster-level API tokens are generated with infinite time-to-live (
ttl=0). In other words, API tokens with
ttl=0 never expire unless you invalidate them. Tokens are not invalidated by changing a password.
You can deactivate API tokens by deleting them or by deactivating the user account.
To delete a token,
Go to the list of all tokens in the Rancher API view at
Access the token you want to delete by its ID. For example,
Here is the complete list of tokens that are generated with
|Access to |
|Token for agent deployment|
|Token for compose|
|Token for Helm chart deployment|
|Pipeline token for project|
|Token for drain (we use |
Setting TTL on Kubeconfig Tokens
Available as of v2.4.6
Starting Rancher v2.4.6, admins can set a global TTL on Kubeconfig tokens. Once the token expires the kubectl command will require the user to authenticate to Rancher.
Existing kubeconfig tokens won't be updated with the new TTL. Admins can delete old kubeconfig tokens.
Disable the kubeconfig-generate-token setting in the Rancher API view at
https://<Rancher-Server-IP/v3/settings/kubeconfig-generate-token. This setting instructs Rancher to no longer automatically generate a token when a user clicks on download a kubeconfig file. The kubeconfig file will now provide a command to login to Rancher.
Edit the setting and set the value to
Go to setting kubeconfig-token-ttl-minutes in the Rancher API view at
https://<Rancher-Server-IP/v3/settings/kubeconfig-token-ttl-minutes. By default, kubeconfig-token-ttl-minutes is 960 (16 hours).
Edit the setting and set the value to desired duration in minutes. Note: This value cannot exceed max-ttl of API tokens.(
https://<Rancher-Server-IP/v3/settings/auth-token-max-ttl-minutes). In Rancher v2.4.6, auth-token-max-ttl-minutes is set to 1440 (24 hours) by default. Starting Rancher v2.4.7, auth-token-max-ttl-minutes would default to 0 allowing tokens to never expire, similar to v2.4.5.