Control secret access in live environments
Service Token allows authenticating Onboardbase CLI without going through the
onboardbase login command.
- Onboardbase CLI
- Admin access to an Organization.
Create service token from the application
- Login to your Onboardbase account as an admin
- Click the profile icon in the navbar
- Scroll to the Service Token section
- Click Generate token button
- Enter the name of the service
- Click on Generate to finalize
Service Token Usage
1. Persisted usage
This directly sets the authentication for the machine as the new service token, making sure that the token is available on restarts.
This use case is useful in server and VM environments to prevent re-authenticating the CLI on every restart.
# Prevent configure command being leaked in bash history export HISTIGNORE='onboardbase*' # Scope to location of application directory onboardbase config:set --token "Service.****.****.*****" --scope /usr/src/app # Supply secrets to your application cd /usr/src/app onboardbase run -c "env"
If the service has been deleted, the machine will stop being authenticated, a new service token has to be applied.
Option 2: The ONBOARDBASE_TOKEN environment variable
It is also possible to have a one-time non-persisted application of the service tokens. Which is mostly useful in CI jobs and other one-time run environments.
# Prevent command with Service Token being recorded in bash history export HISTIGNORE="export ONBOARDBASE_TOKEN*" export ONBOARDBASE_TOKEN="Service.****.****.*****" onboardbase run -c "env"
# Prevent command with Service Token being recorded in bash history export HISTIGNORE='docker*' docker container run -e ONBOARDBASE_TOKEN="Service.****.****.*****" app-name onboardbase build -c "env"
# Prevent command with Service Token being recorded in bash history export HISTIGNORE='export ONBOARDBASE_TOKEN*' export ONBOARDBASE_TOKEN="Service.****.****.*****" docker-compose up
# Prevent command with Service Token being recorded in bash history export HISTIGNORE='kubectl create secret*' # Create Kubernetes secret containing the Service Token kubectl create secret generic onboardbase-token --from-literal=ONBOARDBASE_TOKEN="Service.****.****.*****"
# Inject the SERVICE_TOKEN into your Kubernetes deployment: apiVersion: apps/v1 kind: Deployment ... spec: containers: - name: app-name envFrom: - secretRef: name: onboardbase-token
Unauthenticated Service Token
Deleting a Service Token unauthenticates any server/service that uses the token, and this process is non-reversible.
To revoke a token, go to the organization setting page, click on the more options icon, then the Delete item.
Because secrets are securely cached on the host machine, deleting a service token only prevents the service/machine from receiving new secret updates.
You can learn more about when to use Service tokens or Device tokens here.
Updated about 2 months ago