Pivotal Container Service v1.1

Configure PKS API Access

Page last updated:

This topic describes how to configure access to the Pivotal Container Service (PKS) API. See PKS API Authentication for more information about how the PKS API and UAA interact with your PKS deployment.

Configure Access to the PKS API

  1. Locate your Ops Manager root CA certificate.

    • If Ops Manager generated your certificate, refer to the Retrieve the Root CA Certificate section of Managing Non-Configurable TLS/SSL Certificates.
    • If you provided your own certificate, copy and paste the certificate you entered in the PKS API pane into a file.
  2. Target your UAA server by running the following command:

    uaac target https://PKS-API:8443 --ca-cert ROOT-CA-FILENAME
    Replace the following values:

    • PKS-API: enter the fully qualified domain name (FQDN) you use to access the PKS API. You configured this URL in the PKS API section of Installing and Configuring PKS.
    • ROOT-CA-FILENAME: enter the path for the certificate file you downloaded in a previous step. For example:
      $ uaac target --ca-cert my-cert.cert
      Including https:// in the PKS API URL is optional.
  3. Run uaac token client get admin -s UAA-ADMIN-SECRET to request a token from the UAA server. Replace UAA-ADMIN-SECRET with your UAA admin secret. Refer to Ops Manager > Pivotal Container Service > Credentials > Pks Uaa Management Admin Client to retrieve this value.

  4. Grant cluster access to new or existing users with UAA. For more information on granting cluster access to users or creating users, see the Grant Cluster Access to a User section of Managing Users in UAA.

Log in to the PKS CLI

For information on logging into the PKS CLI, see the Log in to PKS CLI section of Installing the PKS CLI.

Log in to PKS as a Client

Use the command in this section to log in as an automated client for a script or service.

On the command line, run the following command to log in to the PKS CLI:

pks login -a PKS-API --client-name CLIENT-NAME --client-secret CLIENT-SECRET -k

Replace the placeholder values in the command as follows:

  • PKS-API is the domain name for the PKS API that you entered in Ops Manager > Pivotal Container Service > PKS API > API Hostname (FQDN). For example,

  • CLIENT-NAME is your oAuth client ID.

  • CLIENT-SECRET is your oAuth client secret.

For example:

$ pks login -a \
--client-name automated-client \
--client-secret randomly-generated-secret -k

Please send any feedback you have to

Create a pull request or raise an issue on the source for this page in GitHub