Automate Access Control and API key creation

Hi guys,

Couldn’t find an answer to my question so here it is. I’d like to automate enabling Access Control and API key creation. For now I am able to choose and set Local Access control by simply invoking curl POST on /v2-beta/localauthconfig. That sets the Access Control and creates an user with an admin role assigned.

But I can’t find a way to create an account API key via curl that I’d be able to use and set with rancher cli? Basically I need a curl command that will be able to auth itself as a previously created user and to create an API key. I do not care about the output format of such a command for as long is parsable. :slight_smile:

Any ideas on how to do that? Using UI for this is not an option, since I’d like to be able to do it programatically.

For the record I’m using the latest version of Rancher server.

Thanks!

So what I am looking for is something that this post suggests: Custom username and password for API access but am not quite sure it’s the correct approach here. Or I might be wrong?

Basically what I’d like to achieve is to lock the UI down via localauthconfig API call and then generate the API key for that user (that is going to be an admin user ofc) I’ve created with the previous API call. But in order to create an API key for that user I seem nee dto provide ${RANCHER_ACCESS_KEY}:${RANCHER_SECRET_KEY} that I do not have yet, so to me it seems like chicken and the egg problem? Or am I on the wrong track here?

The admin user (1a1) already exists on install. You can create an API key for it (I wouldn’t suggest forcing specific access/secret values as in that post but you can) before turning auth on and it is still valid after.

So what you’re kinda suggesting is to create API key while UI is not yet locked down as in that case I’d be able to do that by not providing any creds, right? Upon installation ‘admin’ has no password set so I can do whatever I need to?

And once I lock the UI down, create new admin user as described in my previous post, I will still be able to use previously created API key to perform any other action eg to create environment, create users, etc as that API key will have all the permissions since it’s created for the 1a1 user, right?

Yes, when auth is off you are always implicitly the 1a1 user and can precreate an API key for them. When you turn auth on the user/password you supply (or the test process for other providers like github) updates that existing user and you “become” 1a1. There is no need to create a separate new user.

Hm, but even with UI I can see that when turning on the localauth I have an option of creating a user that will have the admin role set as well? So I can omit that step? Haven’t tried it, which is why I’m asking.

And even with API, I did something like:

curl -X POST -H ‘Content-Type: application/json’ -d ‘{“enabled”:true, “username”:“newUser”, “password”:“newUserPassword”}’ ‘https://rancher-server-url/v2-beta/localauthconfig

which in return created a newUser user with the given password and locked my UI. But from what you’re saying I can keep my admin user (the 1a1 one) by executing:

curl -X POST -H ‘Content-Type: application/json’ -d ‘{“enabled”:true, “password”:“adminPassword”}’ ‘https://rancher-server-url/v2-beta/localauthconfig

I will have to spin another rancher env in order to test this which is why I thought it might be faster if you could confirm this beforehand?

Thanks a lot!

You’re not creating a new account (“user”) when you turn auth on. You are setting a username and password for the existing account with the ID 1a1. (And you can’t just set the password, because there is no username yet)

I am testing this, thanks for the support. Will come back withe either results or more questions.

Works as advertised, thanks!