Skip to main content
Version: v2.6

API Tokens

By default, some cluster-level API tokens are generated with infinite time-to-live (ttl=0). In other words, API tokens with ttl=0 never expire unless you invalidate them. Tokens are not invalidated by changing a password.

You can deactivate API tokens by deleting them or by deactivating the user account.

Deleting tokens

To delete a token,

  1. Go to the list of all tokens in the Rancher API view at https://<Rancher-Server-IP>/v3/tokens.

  2. Access the token you want to delete by its ID. For example, https://<Rancher-Server-IP>/v3/tokens/kubectl-shell-user-vqkqt

  3. Click Delete.

Here is the complete list of tokens that are generated with ttl=0:

TokenDescription
kubeconfig-*Kubeconfig token
kubectl-shell-*Access to kubectl shell in the browser
agent-*Token for agent deployment
compose-token-*Token for compose
helm-token-*Token for Helm chart deployment
*-pipeline*Pipeline token for project
telemetry-*Telemetry token
drain-node-*Token for drain (we use kubectl for drain because there is no native Kubernetes API)

Setting TTL on Kubeconfig Tokens

Admins can set a global time-to-live (TTL) on Kubeconfig tokens. Changing the default kubeconfig TTL can be done by navigating to global settings and setting kubeconfig-default-token-ttl-minutes to the desired duration in minutes. The default value of kubeconfig-default-token-ttl-minutes is 0, which means tokens never expire.

note

This setting is used by all kubeconfig tokens except those created by the CLI to generate kubeconfig tokens.

Disable Tokens in Generated Kubeconfigs

  1. Set the kubeconfig-generate-token setting to false. This setting instructs Rancher to no longer automatically generate a token when a user clicks on download a kubeconfig file. Once this setting is deactivated, a generated kubeconfig will reference the Rancher CLI to retrieve a short-lived token for the cluster. When this kubeconfig is used in a client, such as kubectl, the Rancher CLI needs to be installed to complete the log in request.

  2. Set the kubeconfig-token-ttl-minutes setting to the desired duration in minutes. By default, kubeconfig-token-ttl-minutes is 960 (16 hours).

Token Hashing

Users can enable token hashing, where tokens will undergo a one-way hash using the SHA256 algorithm. This is a non-reversible process, once enabled, this feature cannot be disabled. It is advisable to take backups prior to enabling and/or evaluating in a test environment first.

To enable token hashing, refer to this section.

This feature will affect all tokens which include, but are not limited to, the following:

  • Kubeconfig tokens
  • Bearer tokens API keys/calls
  • Tokens used by internal operations

Token Settings

These global settings affect Rancher token behavior.

SettingDescription
auth-user-session-ttl-minutesTTL in minutes on a user auth session token.
kubeconfig-default-token-TTL-minutesDefault TTL applied to all kubeconfig tokens except those generated by Rancher CLI. Introduced in version 2.6.6.
kubeconfig-token-ttl-minutesTTL used for tokens generated via the CLI. Deprecated since version 2.6.6, and will be removed in 2.8.0. This setting will be removed, and kubeconfig-default-token-TTL-minutes will be used for all kubeconfig tokens.
auth-token-max-ttl-minutesMax TTL for all tokens except those controlled by auth-user-session-ttl-minutes.
kubeconfig-generate-tokenIf true, automatically generate tokens when a user downloads a kubeconfig.

auth-user-session-ttl-minutes

Time to live (TTL) duration in minutes used to determine when a user auth session token expires. When expired, the user will be required to log in and obtain a new token. This setting is not affected by auth-token-max-ttl-minutes. Session tokens are created when a user logs into Rancher.

kubeconfig-default-token-TTL-minutes

Time to live (TTL) duration in minutes used to determine when a kubeconfig token expires. When the token is expired, the API will reject the token. This setting can not be larger than auth-token-max-ttl-minutes. This setting applies to a token generated in a requested kubeconfig file. Except those generated by Rancher CLI. Introduced in version 2.6.6.

kubeconfig-token-ttl-minutes

Time to live (TTL) duration in minutes used to determine when a kubeconfig token that was generated by the CLI expires. Tokens are generated by the CLI when kubeconfig-generate-token is false. When the token is expired, the API will reject the token. This setting can not be larger than auth-token-max-ttl-minutes. Deprecated since version 2.6.6, and will be removed in 2.8.0: This setting will be replaced with the value of kubeconfig-default-token-TTL-minutes.

auth-token-max-ttl-minutes

Maximum Time to Live (TTL) in minutes allowed for auth tokens. If a user attempts to create a token with a TTL greater than auth-token-max-ttl-minutes, Rancher will set the token TTL to the value of auth-token-max-ttl-minutes. Auth tokens are tokens created for authenticating API requests. Changed in version 2.6.6: Applies to all kubeconfig tokens and api tokens.

kubeconfig-generate-token

When true, kubeconfigs requested through the UI will contain a valid token. When false, the kubeconfig will contain a command that uses the Rancher CLI to prompt the user to log in. The CLI then will retrieve and cache a token for the user.