Create Admin Tokens
You can create admin tokens to provide tokenized account access for automated strongDM use. This guide describes how to set up and use admin tokens. To create an admin token, you'll need to have admin access to the strongDM Admin UI.
Admin tokens are for administrative tasks, including:
- Managing users
- Managing roles
- Managing resources
- Managing gateways and relays
- Managing access
- Managing Secret Stores
Create Admin Tokens
Admin tokens are generated in the Admin UI in Access > API & Admin Tokens. To create an admin token, follow these steps:
- On Access > API & Admin Tokens, click add token.
- On the Create Admin Token page:
- Give your token a name.
- Specify how long the token will be valid.
- Choose which rights this admin token will have and select the appropriate options for your admin token use case.
- Click Create. The token will appear in a pop-up window. Copy the token and keep it somewhere safe, as you will not be able to view the token after this point.
There are two methods to authenticate the CLI with an admin token: with an environment variable or through the
sdm login command.
The CLI will reference the environment variable
SDM_ADMIN_TOKEN if it is set. You can set this in your shell by using
The CLI can use the token directly if the
--admin-token flag is used:
sdm login --admin-token='token_value_here'
If the admin token is used at login in this manner, or if
SDM_ADMIN_TOKEN is set as an environment variable, there is no need to log in via the CLI or GUI (any active client sessions will be broken when you try to log in with the
--admin-token flag). Instead, you can just begin executing commands without needing to log in with credentials.
Once authenticated with an admin token, you will be able to run any
sdm admin command granted to the token. No other commands (e.g.,
sdm status) will work using an admin token, regardless of permission level.
You can run any of the following commands that you have granted to the token once you're authenticated with the token:
- User commands:
sdm admin users list
- Role commands:
sdm admin roles list
- Datasource commands:
sdm admin datasources list
- Server commands:
sdm admin servers list
- Relay commands:
sdm admin relays list. Note that the
relays listcommand requires the token to also have been granted
datasources list, otherwise
relays listwill not work since it provides some information on the connected datasources for each relay.
Rotate Admin Tokens
Rotating an admin token will generate a new secret while maintaining the name and permissions. We recommend doing so if you believe a token has been compromised or if a user with access to the token has left your organization.
Revoke Admin Tokens
Once a token has been rotated or deleted, the token will immediately lose its ability to authenticate commands from that point forward.