Logging in to Enterprise PKS

Page last updated:

Warning: Pivotal Container Service (PKS) v1.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy.
To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to log in to Enterprise Pivotal Container Service (Enterprise PKS).


To manage Enterprise PKS-deployed clusters, you use the PKS Command Line Interface (PKS CLI). When you log in to Enterprise PKS successfully for the first time, the PKS CLI generates a local creds.yml file that contains the API endpoint, refresh token, access token, and CA certificate, if applicable.

By default, creds.yml is saved in the ~/.pks directory on your local system. You can use the PKS_HOME environment variable to override this location and store creds.yml in any directory on your system.


Before you can log in to Enterprise PKS, you must have the following:

  • A running Enterprise PKS environment. See the Installing Enterprise PKS section for your cloud provider.
  • The PKS CLI installed on your local system. See Installing the PKS CLI.
  • A username and password that has access to the PKS API. See Configuring PKS API Access.

Log in to the PKS CLI

Use the command in this section to log in as an individual user. The login procedure is the same for users created in UAA or users from external LDAP groups.

On the command line, run the following command in your terminal to log in to the PKS CLI:

pks login -a PKS-API -u USERNAME -p PASSWORD --ca-cert CERT-PATH

Replace the placeholder values in the command as follows:

  • PKS-API is the domain name for the PKS API that you entered in Ops Manager > Enterprise PKS > PKS API > API Hostname (FQDN). For example, api.pks.example.com.

  • USERNAME and PASSWORD belong to the account you created in the Grant Enterprise PKS Access to a User section of Managing Users in Enterprise PKS with UAA. If you do not use -p to provide a password, the PKS CLI prompts for the password interactively. Pivotal recommends running the login command without the -p flag for added security.

  • CERT-PATH is the path to your root CA certificate. Provide the certificate to validate the PKS API certificate with SSL.

    For example:

    $ pks login -a api.pks.example.com -u alana \
    --ca-cert /var/tempest/workspaces/default/root_ca_certificate

    If you are logging in to a trusted environment, you can use -k to skip SSL verification instead of --ca-cert CERT-PATH.

    For example:

    $ pks login -a api.pks.example.com -u alana -k

Please send any feedback you have to pks-feedback@pivotal.io.