Access keys in the platform
Access keys provide authentication credentials for the platform. Users can use these keys with the vCluster CLI or HTTP tools like curl to interact with the platform.
How access keys work​
Access keys in vCluster platform function as authentication tokens that inherit the exact permissions of the user who creates them. When a user generates an access key, that key can perform any action the user has permission to perform. Any authenticated user on the vCluster platform can generate their own access keys through the user interface or API.
When making requests through the vCluster CLI or direct API calls, these keys authenticate the request with the platform. The platform then processes the request with the same privilege level as if the generating user performed the action directly.
Scoped access keys​
The platform supports limiting access key permissions by scoping them to specific resources. You can scope an access key to restrict its use to:
A single project within the platform, limiting actions to only that project's resources.
A particular virtual cluster, constraining operations to just that virtual cluster's components.
A specific namespace, allowing actions only within that defined namespace boundary.
Scoping provides an important security control by restricting what an access key can access. However, scoped access keys cannot access resources beyond what the generating user already has permission to access. The scoping mechanism reduces permissions rather than expanding them.
Best practices​
When implementing access keys in automated workflows, consider using scoped keys to improve security by limiting access to only the required resources.
For example, an automated deployment process typically needs access to just one project or virtual cluster. By scoping the access key appropriately, you protect other resources in case the key is compromised.
Example use cases​
CI/CD integration often requires access to platform resources. You can create project-scoped access keys for build pipelines to enable automated building and deployment while limiting potential security exposure.
Automated deployment tools can use virtual cluster-scoped keys to manage deployments without gaining unnecessary access to other parts of your infrastructure.
Monitoring applications need to gather metrics and status information. Configure namespace-scoped keys for these systems to allow monitoring without granting broader permissions.
Security considerations​
Access key management requires careful attention to security. Rotate keys regularly to reduce the impact of potential breaches. Store keys securely using environment variables or a secrets management system rather than embedding them in code or configuration files.
Apply the principle of least privilege by using the most restrictive scope possible for each access key. When a process no longer requires an access key, delete it promptly to reduce your security exposure.
Create an access key�​
Select the Users field on the left menu bar.
Click the Users button on the User Management screen.
Find the user you would like to generate an Access Key for from the list of users. Click the user.
In the User Access Key management screen click the button.
In the drawer that appears from the right, give the Access Key a display name in the Enter a display name for this access key box.
Optional If you'd like to limit the scope of the Access Key, expand the Limit Access Key Scope configuration section. In this section you can select the clusters, namespaces, and virtual clusters of which to limit the Access Key scope to.
Click the button.
In the pop up window, make sure to copy the generated Access Key from the prompt as you are not able to fetch this key again.
Click the button.
Log in using the access key​
You can use an access key to login to vCluster Platform via the vCluster CLI:
vcluster platform login my-vcluster-platform-url.com --access-key ACCESS_KEY