Configuring PKS API Access
Page last updated:
This topic describes how to configure access to the Pivotal Container Service (PKS) API. See PKS API Authentication for more information about how the PKS API and UAA interact with your PKS deployment.
Locate your Ops Manager root CA certificate.
- If Ops Manager generated your certificate, refer to the Retrieve the Ops Manager Root Certificate section of Managing Certificates with the Ops Manager API.
- If you provided your own certificate, copy and paste the certificate you entered in the PKS API pane into a file.
Target your UAA server by running the following command:
uaac target https\://PKS-API:8443 --ca-cert ROOT-CA-FILENAME
PKS-APIis the fully qualified domain name (FQDN) you use to access the PKS API. You configured this URL in the PKS API section of Installing PKS for your IaaS. For example, see Installing PKS on vSphere.
ROOT-CA-FILENAMEis the path for the certificate file you downloaded in a previous step. For example:
$ uaac target api.pks.example.com:8443 --ca-cert my-cert.certIncluding
https://in the PKS API URL is optional.
To request a token from the UAA server run the following command:
uaac token client get admin -s UAA-ADMIN-SECRET`
UAA-ADMIN-SECRETis your UAA admin secret. Refer to Ops Manager > Pivotal Container Service > Credentials > Pks Uaa Management Admin Client to retrieve your UAA admin secret.
Grant cluster access to new or existing users with UAA. For more information on granting cluster access to users or creating users, see the Grant PKS Access to a User section of Managing Users in PKS with UAA.
For information about logging in to the PKS CLI as a user, see Logging in to PKS.
Note: If you are creating a test environment, you can log in to the PKS CLI without creating a PKS CLI-specific user account. Instead, you can use the existing Admin account and its UAA password to log in to the PKS CLI. Refer to Ops Manager > Pivotal Container Service > Credentials > Uaa Admin Password to retrieve your UAA Admin password and then follow the log in steps in Logging in to PKS.
On the command line, run the following command to log in to the PKS CLI as an automated client for a script or service:
pks login -a PKS-API --client-name CLIENT-NAME --client-secret CLIENT-SECRET --ca-cert CERTIFICATE-PATH
PKS-APIis the domain name for the PKS API that you entered in Ops Manager > Pivotal Container Service > PKS API > API Hostname (FQDN). For example,
CLIENT-NAMEis your OAuth client ID.
CLIENT-SECRETis your OAuth client secret.
CERTIFICATE-PATHis the path to your root CA certificate. Provide the certificate to validate the PKS API certificate with SSL.
$ pks login -a api.pks.example.com \ --client-name automated-client \ --client-secret randomly-generated-secret \ --ca-cert /var/tempest/workspaces/default/root_ca_certificate
Please send any feedback you have to firstname.lastname@example.org.