cci-iam-authenticator Usage Reference

cci-iam-authenticator is the authentication add-on of the Kubernetes client and provides two subcommands generate-kubeconfig and token.

A tool to authenticate to CCI using HuaweiCloud IAM credentials

Usage:
  cci-iam-authenticator [command]

Available Commands:
  generate-kubeconfig Generate or modify kubeconfig files based on user configuration
  help                Help about any command
  token               Authenticate using HuaweiCloud IAM and get token for CCI

Flags:
      --alsologtostderr   log to standard error as well as files
  -h, --help              help for cci-iam-authenticator
      --log_dir string    If non-empty, write log files in this directory
      --log_file string   If non-empty, use this log file
      --logtostderr       log to standard error instead of files (default true)
  -v, --v Level           number for the log level verbosity
      --version           version for cci-iam-authenticator

Use "cci-iam-authenticator [command] --help" for more information about a command.

The Flags field lists log options.

token

The token command is used to obtain a user token. You can use either the username/password or AK/SK to obtain a token.

Authenticate using HuaweiCloud IAM and get token for CCI

Usage:
  cci-iam-authenticator token [flags]

Flags:
      --ak string                  IAM access key ID
      --cache                      Cache the token credential on disk until it expires (default true)
      --domain-name string         IAM domain name, typically your account name
  -h, --help                       help for token
      --iam-endpoint string        HuaweiCloud IAM endpoint, i.e. https://iam.cn-north-4.myhuaweicloud.com (default "https://iam.myhuaweicloud.com")
      --insecure-skip-tls-verify   If true, the iam server's certificate will not be checked for validity. (default true)
      --password string            IAM user password
      --project-id string          IAM project id, project id and project name should not be empty at same time
      --project-name string        IAM project name, project id and project name should not be empty at same time
      --sk string                  IAM secret access key
      --token-only                 Return token only for other tool integration
      --user-name string           IAM user name. Same as domain-name when using main account, otherwise use iam user name

The Flags field includes username, password, AK, SK, and common configurations.

**Table 1** Username and password
Command Flag	Environment Value	Description
domain-name	DOMAIN_NAME	Tenant name, that is, the account name. For details, see My Credentials.
user-name	USER_NAME	Sub-user name, that is, the IAM username. If this parameter is not specified, the value of domain-name is used. For details, see My Credentials.
password	PASSWORD	Password of an account or IAM user.

**Table 2** AK/SK
Command Flag	Environment Value	Description
ak	ACCESS_KEY_ID	For details about how to obtain the AK and SK, see Obtaining an AK/SK. AK is the access key in the file, and SK is the secret key in the file.
sk	SECRET_ACCESS_KEY

**Table 3** Common configurations
Command Flag	Environment Value	Description
iam-endpoint	IAM_ENDPOINT	IAM endpoint, which is mandatory. For details, see Regions and Endpoints.
project-name	PROJECT_NAME	Project name. For details, see My Credentials.
project-id	PROJECT_ID	Project ID. For details, see My Credentials.
insecure-skip-tls-verify	INSECURE_SKIP_TLS_VERIFY	Whether to skip the verification of the CCI or IAM server. The default value is true.
cache	CREDENTIAL_CACHE	Whether to cache the IAM token to the local host to improve the access performance. The default value is true. CAUTION: In an insecure environment, you are advised to disable this option.

generate-kubeconfig

This command is used to generate kubeconfig configurations. If the specified kubeconfig file already exists, new server, user, and context configurations will be injected and the newly injected context will be used for authentication. By default, the system verifies the user configuration and attempts to access IAM and CCI to ensure that the IAM authentication information is correct and the CCI address is available.

Generate or modify kubeconfig files based on user configuration.

Sets a cluster entry, a user entry and a context entry in kubeconfig and use this context as the current-context.

The loading order follows these rules:

1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes
place.
2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for
your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When
a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the
last file in the list.
3. Otherwise, ${HOME}/.kube/config is used and no merging takes place.

Examples:
# Generate kubeconfig to ${HOME}/.kube/config using aksk
cci-iam-authenticator generate-kubeconfig --cci-endpoint=https://cci.cn-north-4.myhuaweicloud.com --ak=*** --sk=***
# Generate kubeconfig to ${HOME}/.kube/config using domain name and password
cci-iam-authenticator generate-kubeconfig --cci-endpoint=https://cci.cn-north-4.myhuaweicloud.com --domain-name=*** --password=***

Usage:
cci-iam-authenticator generate-kubeconfig [flags]

Flags:
--ak string IAM access key ID
--cache Cache the token credential on disk until it expires (default true)
--cci-endpoint string CCI server endpoint, i.e. https://cci.cn-north-4.myhuaweicloud.com
--domain-name string IAM domain name, typically your account name
-h, --help help for generate-kubeconfig
--iam-endpoint string HuaweiCloud IAM endpoint, i.e. https://iam.cn-north-4.myhuaweicloud.com (default "https://iam.myhuaweicloud.com")
--insecure-skip-tls-verify If true, the iam server's certificate will not be checked for validity. (default true)
--kubeconfig string use a particular kubeconfig file
--password string IAM user password
--project-id string IAM project id, project id and project name should not be empty at same time
--project-name string IAM project name, project id and project name should not be empty at same time
--sk string IAM secret access key
--token-only Return token only for other tool integration
--user-name string IAM user name. Same as domain-name when using main account, otherwise use iam user name
--validation Validate kubeconfig by trying to access CCI with existing config (default true)

A kubeconfig file can contain multiple environment and authentication information records. You can use the same IAM authentication configuration and different cci-endpoint values to generate kubeconfig configurations for multiple regions. For example:

# Generate kubeconfig configuration for CN North-Beijing4 and switch to the corresponding context.
$ cci-iam-authenticator generate-kubeconfig --cci-endpoint=https://cci.cn-north-4.myhuaweicloud.com --ak=my-ak --sk=xxxxxx 
Switched to context "cci-context-cn-north-4-my-ak". 
# Generate kubeconfig configuration for CN East-Shanghai1 and switch to the corresponding context.
$ cci-iam-authenticator generate-kubeconfig --cci-endpoint=https://cci.cn-east-3.myhuaweicloud.com --ak=my-ak --sk=xxxxxx 
Switched to context "cci-context-cn-east-3-my-ak". 
# Switch to the context of CN North-Beijing4.
$ kubectl config use-context cci-context-cn-north-4-my-ak

Parent topic: Using Native kubectl (Recommended)

Previous topic: kubectl Configuration Guide

Next topic: Namespace and Network