digitalocean / doctl

The official command line interface for the DigitalOcean API.
https://docs.digitalocean.com/reference/doctl/
Apache License 2.0
3.27k stars 396 forks source link

Revoke doks token command #1083

Open dro-sh opened 2 years ago

dro-sh commented 2 years ago

What is the problem this feature would solve? Please describe. In my Github Actions pipeline, I download kubeconfig with doctl kubernetes cluster kubeconfig save cluster-name. This generates an API Token. For every pipeline run another Access Token is generated, which spam on Acess Token list. I use suitable version, for getting token (list). As I understand this token expires after one week, acconding this:

AUTHENTICATION AND CONNECTING A certificate is required to authenticate, it lasts one week. You can either automatically refresh the certificate or manually update it weekly.

I also try to use doctl kubernetes cluster kubeconfig remove cluster-name, but it also creates new Access Token.

Describe the solution you'd like Command like doctl registry logout, which revoke token.

Additional context https://github.com/digitalocean/doctl/issues/818

andrewsomething commented 2 years ago

Hi @Serfi7

Thanks for the suggestion. While we do not currently have a command to revoke the token from a kubeconfig, there is a workaround. doctl kubernetes cluster kubeconfig save takes an --expiry-seconds flag that can be used to generate shorter lived tokens. For things like Github Actions pipelines, this is the recommended approach. The token will be revoked and removed from the list when the config expires.

dro-sh commented 2 years ago

Hi @andrewsomething

Thank you for your answer. I found that --expiry-seconds works. But also I use terraform doks resourse with official kubernetes resourse. As I understand it also generates Access Token with several days of experation. Could you, please, help me to find out attribute like --expiry-seconds to revoke Access Token automatically?