API key for all environments?

Is it possible to create an API key that has access to all the environments?

We are creating an app that updates external DNS entries based on rancher load balancers. Our current plan was to provide key per environment and then have the app cycle through it.

It is not exposed through the UI, but yes:

Go to the User menu -> API & Keys, click the endpoint. That brings up the API, authenticating with a token as your user (with access to all environments too). Navigate up to /v1/apikeys, click Create. Make sure the type says apiKey, add a name and such if you want, and show/send request. Copy the public and secret values.

That API key will have access to anything your user does. The URL structure will be a little different, you can list the environments at /v1/projects and all the stuff you normally see at e.g. /v1/containers is now underneath there at /v1/projects/:id/containers (technically this URL works with a normal key too, there is just always only one project/environment to see instead of many).

If you haven’t run into this yet, UI “environment” == API “project” and UI “stack” == API “environment”. We will eventually do a round of cleanup on the API and make it match the UI terms, after they’ve had long enough to stick that we’re confident they won’t change again :smile:

1 Like

I don’t think the /v1/subscribe?eventNames=resource.change WebSocket works with this kind of key to give you change events for all the projects/environments. You can try it but may end up having to poll for changes to balancers, or open a WebSocket per-project by adding &projectId=.

Thanks! I’ll give this a shot. We are currently planning on polling :).

Just been pointed towards this post, might be quite useful for our implementation.
Quick question, is this global API key supported by the rancher labels that can be used within compose files?

What do you mean by “supported by rancher labels”?

Apolgoies, should of listed it. I meant using the label io.rancher.container.agent.role Currently i use the environment value, is there one for the global key?

There is not an equivalent that gives access to all environments… There would be a variety of security issues with that.

I tried to follow vincent’s answer to create a apikey for all environments.

Which accountId I should choose for all environments? I created apikeys of “admin” and “systemadmin” accountId without inputing publicValue and secretValue, then ran go-rancher client with these apikeys to list environments’ info, But it didn’t show anything or just refused by rancher for “Unauthorized”.

The thing called an “Environment” in the UI is called a project in the API, and the thing called a “Stack” in the UI is called an environment in the API. So you want to list projects with the account key, not environments.

The API key will have access to whatever projects the account has access to. You probably want admin (1a1) if you have access control off or are the one that turned it on. But creating account API keys is in the UI now as of 1.0 or so, so you can just do it there instead. In the API screen, expand the “Advanced Options” toggle.