PKS API Authentication
Page last updated:
This topic describes how the Pivotal Container Service (PKS) API works with User Account and Authentication (UAA) to manage authentication and authorization in your PKS deployment.
Before users can log in and use the PKS CLI, you must configure PKS API access with UAA. You use the UAA Command Line Interface (UAAC) to target the UAA server and request an access token for the UAA admin user. If your request is successful, the UAA server returns the access token. The UAA admin access token authorizes you to make requests to the PKS API using the PKS CLI and grant cluster access to new or existing users.
When a user with cluster access logs in to the PKS CLI, the CLI requests an access token for the user from the UAA server.
If the request is successful, the UAA server returns an access token to the PKS CLI.
When the user runs PKS CLI commands, for example,
pks clusters, the CLI sends the request to the PKS API server and includes the user’s UAA token.
The PKS API sends a request to the UAA server to validate the user’s token.
If the UAA server confirms that the token is valid, the PKS API uses the cluster information from the PKS broker to respond to the request.
For example, if the user runs
pks clusters, the CLI returns a list of the clusters that the user is authorized to manage.
The PKS API server and the UAA server use different port numbers on the control plane VM.
For example, if your PKS API domain is
api.pks.example.com, you can reach your PKS API and UAA servers at the following URLs:
Refer to Ops Manager > Pivotal Container Service > UAA > UAA URL for your PKS API domain.
When you install the PKS tile, you configure a load balancer for the PKS API. This load balancer allows you to run PKS CLI commands from your local workstation. For more information, see the Configure External Load Balancer section of Installing and Configuring PKS.
Please send any feedback you have to firstname.lastname@example.org.