CloudTruth Documentation
Sign InAPIIntegrationsGitHubVisit our website
  • Overview
  • Getting Started
  • Architecture
    • 🔒Security Overview
  • Copilot
  • 🏢Org management
    • Account Setup
    • Access Control
      • 🔑API Tokens
      • 🌐Protecting Projects and Environments
      • 👥Users
    • Audit Log
  • 🛠️Config Management
    • Projects
    • Parameters
      • Sharing Config Data
      • Parameter Management
        • Internal Values
          • Dynamic Values
        • External Values
          • Terraform Remote State Files
        • Parameter Override
        • Environment Value Override
      • Parameter and Parameter Value Inheritance
      • Value Comparison
      • Value History
      • Value Validation
      • Value Expiration
    • Environments and Tags
    • Templates
      • 📒Sample Templates
    • Actions
      • Import Actions
      • Push Actions
    • CLI & API
      • CloudTruth CLI
      • Rest API
    • Integrations
      • Argo CD
      • Atlassian Compass
      • AWS
        • AWS Connection
        • AWS Role
          • CloudFormation
          • Terrraform
          • AWS Console
        • Parameter Store (SSM)
        • S3
        • Secrets Manager
      • Azure Key Vault
      • Bitbucket Pipelines
      • Docker
      • Docker Compose
      • GitHub
      • GitHub Actions
      • GitLab
      • Harness
      • Jenkins
      • Kubernetes
      • Pulumi
      • Terraform
      • Terragrunt
      • Explorer
      • Circle CI
    • Events, Notifications, Webhooks
    • Types
  • 🔎REPORTING
    • Compare
    • History
    • Expirations
  • 🚀PRODUCT
    • What is CloudTruth?
    • Interactive Demo
    • Kubernetes
    • Terraform
    • CI/CD Pipeline Configuration
    • Cloud CMDB
    • Secrets Management
    • GitOps
    • Our Manifesto
    • Open Source
    • FAQs
    • Our Mission
  • 📚Reference
    • 🎓Quick Start Videos
      • What is CloudTruth?
      • CloudTruth in Action
      • Environments and Projects
      • Secrets, Parameters, ENV variables
      • Audit Logs, RBAC, SSO
      • Containers - Kubernetes, Docker
      • Infrastructure as Code (IaC) - Terraform, Cloudformation, CDK, Azure Bicep, Pulumi
      • CICD Pipelines - GitHub Actions, ArgoCD, Jenkins, CircleCI, Harness, GitLab Pipelines
      • AWS Videos - Secret Manager, Parameter Store, S3, IAM
      • Azure Videos - Azure DevOps, Azure Bicep, PowerShell
    • Knowledge Base
      • Best Practices
        • Versioned Releases
      • CLI
        • History comparison of deleted parameters with null values
      • Integrations
        • Advanced AWS IAM policy permissions
        • K8s pull image from private Docker registry
        • S3 Region Selection
      • Templates
        • Templates render quotations in key values as quot
    • Roadmap and New Features
    • JMESPath Reference
    • REST API
Powered by GitBook

Copyright© 2023 CloudTruth

On this page
  • Creating a Service Account and generating a token:
  • Managing Service Accounts (API Tokens)
  • Manage API Token
  • Regenerate API Token
  • Deleting a Service Account

Was this helpful?

  1. Org management
  2. Access Control

API Tokens

Programmatic REST API access to your configuration data.

PreviousAccess ControlNextProtecting Projects and Environments

Last updated 1 year ago

Was this helpful?

A CloudTruth API Token can be used with the and for authorization directly with the REST API. When you create an API Token, we create a Service Account automatically - this is a non-interactive User, but for purposes of access control it behaves just like a regular User. All of the actions performed with the API Token are entered into the Audit Log using this Service Account.

Creating a Service Account and generating a token:

Only Contributor and higher roles can create Service Accounts and generate tokens. Service account role selection is based on the role of the user creating the service account, i.e. Contributor can only create a Service Account with Contributor or a lower privilege role. See for more details.

  1. From the left-hand navigation locate Admin -> API Tokens:

  1. Click + Create Token​ to open the CREATE NEW API TOKEN modal:

  • TOKEN NAME - Typically the name of the service the Service Account's token will be used for

  • DESCRIPTION - Optionally, describe the token's usage

  • OWNER - Typically the User who created the Service Account or is actively using the token in their environment. Used mainly for auditing purposes. Admins and Owners can view and manage all tokens regardless of ownership.

  • TOKEN PERMISSIONS - Set the Role the Service Account will have across the organization

  1. Click Generate Token to create the new Service Account and generate the ACCESS TOKEN. The Service Account along with the exposed and copyable token are now in the tokens list:

The ability to copy the new token string is only available immediately after creating or generating a new token for the Service Account. Once the page has been navigated away from or refreshed the token will no longer visible or obtainable.

Managing Service Accounts (API Tokens)

Manage API Token

  1. Select Manage API Token from the menu to open the EDIT API TOKEN modal:

  1. Here you can modify the Description, change Owner, and modify the Role.

  2. Click Update to save the changes

Regenerate API Token

  1. Select Regenerate API Token from the menu to open the REGENERATE TOKEN modal:

  • Here we have two options:

    • Regenerate and immediately expire the previous token

    • Regenerate and set an expiration date and time for the previous token to expire

Regenerate and expire immediately

Clicking Regenerate will close the modal and display the new token as we did during Service Account creation.

Regenerate and expire in the future

If expiring the token at a later date and time is desired, as in cases where updating critical processes to use the new token may take some time, we can leave the previous token active by checking the box and entering a date and time:

  1. After deciding which option is best, click the Regenerate button to create a new token for the service account. The token string will be displayed as before during Service Account creation.

Deleting a Service Account

  1. Selecting `Delete API Token from the menu will prompt for confirmation:

  1. Click Yes, delete to delete the Service Account along with any associated token(s)

This will immediately prevent access to CloudTruth via the Service Account's associated token(s) and is irreversible! Take care when deleting Service Accounts and make their tokens are no longer in use.

Service Account role assignments are organization-wide and treated the same as a following the defined .

Service Accounts, for all intents and purposes, are treated the same as User Accounts without the ability to log in interactively. We provide easy mechanisms to update the Service Account's role, regenerate a token, or delete the Service Account. These options are found in the selection menu to the right of the token:

🏢
🔑
CloudTruth CLI
User Account
organization role permissions
Role Permissions