Skip to main content

Manage API Access Tokens and Kubeconfig Files

Create and manage API Access Tokens and their associated Kubeconfigs

CKS API Access Tokens are used to authenticate users and to grant access to resources such as Clusters and VPCs.

Prerequisites

This guide assumes that you have an active CoreWeave account.

Create a new API Access Token

API Access Tokens must be created in the CoreWeave Cloud Console. To create a new Access Token, first navigate to the Tokens page by clicking the Tokens link. From the Tokens dashboard, click the Create Token button.

In the modal window, configure the values for the Token:

FieldDescription
NameThe name of the token.
ExpirationThe length of time for which the Token is valid.
Kubeconfig ClusterThe Clusters granted access by this token. You must choose at least one cluster. A Kubeconfig can access multiple Clusters by switching contexts.

Next, click Create to generate the new token.

The confirmation modal displays the new Token and its associated Kubeconfig file.

Warning

These sensitive values are never shown again after closing the modal. Be sure to record them in a secure location.

Click the Download Kubeconfig button to download the associated Kubeconfig file for this token. The filename is in the format CWKubeconfig_cwtoken-<hash>-<name>, where <hash> is a unique identifier generated for you, and <name> is the Token name you provided.

Use the Kubeconfig File

To use the Kubeconfig file, you must have the kubectl command-line tool installed. If you don't have kubectl installed, follow the instructions in the Kubernetes documentation.

To use the Kubeconfig file, either:

  • copy it to the default location for Kubeconfig files, typically ~/.kube/config;
  • specify the file location with the KUBECONFIG environment variable; or,
  • use the --kubeconfig flag with kubectl.

See the Kubernetes documentation for more information.

When the Kubeconfig is in place, you can use kubectl to interact with the CKS clusters. To test the configuration, run:

Example
$
kubectl config view

The output should resemble the following:

Example
apiVersion: v1

kind: Config

clusters:

  - cluster:

      server: https://<id>.k8s.<zone>.coreweave.com

    name: my-cluster

contexts:

  - context:

      cluster: my-cluster

      namespace: default

      user: cwtoken-<TOKEN-ID>

    name: my-cluster-token

users:

  - name: cwtoken-<TOKEN-ID>-test-token

    user:

      token: <TOKEN-SECRET>

Best practices for Kubeconfig security

The Kubeconfig contains API Access Tokens, which should be treated with the same care as passwords or private SSH keys.

  • Make sure only the file owner can read and write the Kubeconfig file. For example, on Linux or macOS, use chmod 600 to set the appropriate permissions.
  • Avoid storing the Kubeconfig in version control systems.
  • Use separate Kubeconfigs for different users and applications, instead of sharing a single Kubeconfig among multiple users or apps.
  • Regularly rotate Kubeconfig files, and revoke access for users or applications that no longer need it to reduce the risk of credential leakage.
Info

Learn more about Kubeconfig files in the official Kubernetes documentation.

Manage Access Tokens

You can view or delete Access Tokens on the Access Tokens dashboard. The secret values are never shown again after creation, so be sure to record them in a secure location.

Tip

Users have different levels of access to CKS clusters. Permissions are designated by the organization administrators. For more information on how permissions are set for users and groups, see User Permissions.

Last updated on