BlogCommunity
Signup

Service Tokens

Control secret access in live environments

Suggest Edits

Service Token allows authenticating Onboardbase CLI without going through the onboardbase login command.

Requirements

  • Onboardbase CLI
  • Admin access to an Organization.

Create service token from the application

  • Login to your Onboardbase account as an admin
  • Click the profile icon in the navbar
  • Scroll to the Service Token section
  • Click Generate token button
  • Enter the name of the service
  • Click on Generate to finalize

Service Token Usage

1. Persisted usage

This directly sets the authentication for the machine as the new service token, making sure that the token is available on restarts.

This use case is useful in server and VM environments to prevent re-authenticating the CLI on every restart.

# Prevent configure command being leaked in bash history
export HISTIGNORE='onboardbase*'


# Scope to location of application directory
onboardbase config:set --token "Service.****.****.*****" --scope /usr/src/app


# Supply secrets to your application
cd /usr/src/app
onboardbase run -c "env"

If the service has been deleted, the machine will stop being authenticated, a new service token has to be applied.

Option 2: The ONBOARDBASE_TOKEN environment variable

It is also possible to have a one-time non-persisted application of the service tokens. Which is mostly useful in CI jobs and other one-time run environments.

# Prevent command with Service Token being recorded in bash history
export HISTIGNORE="export ONBOARDBASE_TOKEN*"


export ONBOARDBASE_TOKEN="Service.****.****.*****"
onboardbase run -c "env"

# Prevent command with Service Token being recorded in bash history
export HISTIGNORE='docker*'


docker container run -e ONBOARDBASE_TOKEN="Service.****.****.*****" app-name
onboardbase build -c "env"

# Prevent command with Service Token being recorded in bash history
export HISTIGNORE='export ONBOARDBASE_TOKEN*'


export ONBOARDBASE_TOKEN="Service.****.****.*****"
docker-compose up

# Prevent command with Service Token being recorded in bash history
export HISTIGNORE='kubectl create secret*'


# Create Kubernetes secret containing the Service Token
kubectl create secret generic onboardbase-token --from-literal=ONBOARDBASE_TOKEN="Service.****.****.*****"

# Inject the SERVICE_TOKEN into your Kubernetes deployment:

apiVersion: apps/v1
kind: Deployment
...
    spec:
      containers:
        - name: app-name 
          envFrom:
            - secretRef:
                name: onboardbase-token

Unauthenticated Service Token

Deleting a Service Token unauthenticates any server/service that uses the token, and this process is non-reversible.

To revoke a token, go to the organization setting page, click on the more options icon, then the Delete item.

📘

Because secrets are securely cached on the host machine, deleting a service token only prevents the service/machine from receiving new secret updates.

You can learn more about when to use Service tokens or Device tokens here.

Updated about 2 months ago