Last modified on February 10, 2023
Admin tokens provide tokenized account access for automated StrongDM use. They can be utilized for administrative tasks, such as the following:
- Managing users
- Managing roles
- Managing resources
- Managing gateways and relays
- Managing access
- Managing Secret Stores
This article describes how to create, manage, and use admin tokens.
Create Admin Tokens
Admin tokens are generated in the Admin UI under Access > API & Admin Tokens. To create an admin token, follow these steps:
- Make sure you have admin access to the Admin UI.
- On Access > API & Admin Tokens, click Add token.
- On the Create Admin Token page, give your token a name.
- Specify when the token expires.
- Choose which rights this admin token grants and select the appropriate options for your admin token use case.
- Click Create. The token appears in a modal.
- Copy the token and keep it somewhere safe. The token only displays once.
There are two methods to authenticate the CLI with an admin token: with an environment variable or through the
sdm login command.
The CLI references the environment variable
SDM_ADMIN_TOKEN if it is set. You can set this in your shell by using
The CLI can use the token directly if the
--admin-token flag is used:
sdm login --admin-token='<TOKEN_VALUE>'
SDM_ADMIN_TOKENis set as an environment variable, there is no need to log in via the CLI or GUI. Any active client sessions break when you try to log in with the
--admin-tokenflag. Instead, you can just begin executing commands without needing to log in with credentials.
Once authenticated with an admin token, you can run any
sdm admin command granted to the token. No other commands (for example,
sdm status) work using an admin token, regardless of permission level.
You can run any of the following commands that you have granted to the token once you are authenticated with the token:
- User commands:
sdm admin users list
- Role commands:
sdm admin roles list
- Datasource commands:
sdm admin datasources list
- Server commands:
sdm admin servers list
- Relay commands:
sdm admin relays list. Note that the
relays listcommand requires the token to have been granted
datasources list; without it,
relays listdoes not work because it provides some information on the connected datasources for each relay.
Rotate Admin Tokens
Rotating an admin token generates a new secret while maintaining the name and permissions. We recommend doing so if you believe a token has been compromised, a user with access to the token has left your organization, or a user who owns the admin token is suspended.
To rotate a token, use these steps.
- Find the token on the API & Admin Tokens page.
- Click to Rotate. A tooltip alerts you that the existing secret is deactivated after 24 hours.
- Click Rotate to regenerate the token secret and expire the existing token after 24 hours.
Delete Admin Tokens
Once a token is rotated or deleted, the token immediately loses its ability to authenticate commands.
Admin Tokens Created by Suspended Users
What happens to admin tokens that are owned by a suspended user? Admin tokens and API keys are still usable even if the user who created them is suspended.
When suspending a user, the Admin UI lists the keys and tokens created by that user and asks if the tokens should be deleted. Select No to keep them.
After confirming suspension, you can see in section Access > API & Admin Tokens that the admin tokens and/or API keys continue to be owned by the suspended user and remain usable. For the admin tokens that are still needed, rotate the credentials to deactivate the existing token secret and generate a new one.
Because API keys are a public/private pair, new keys need to be created and the old keys need to be deleted when any automation systems use the new keys.