Controlplane API Tokens
The Chainloop CLI is used to interact with the Chainloop Control Plane supports two authentication methods.
User Authentication
- Meant for interactive use
- Associated with an user account
- Valid for 24 hours
They can be obtained by running the chainloop auth login command.
API tokens
Alternatively, you can create Service Accounts (API Tokens) that
- Are meant for non-interactive use, i.e automation
- Are associated with a organization
- Have a customizable expiry time that can be manually revoked
- Can operate with Chainloop Workflows and Attestations
- Supports ACL for fine-grained access control (SOON)
You can operate on your organization API tokens using the chainloop organization api-token command.
$ chainloop organization api-token -h
Manage API tokens to authenticate with the Chainloop API.
Usage:
chainloop organization api-token [command]
Aliases:
api-token, token
Available Commands:
create Create an API Token
list List API tokens in this organization
revoke revoke API Token
and then they can be used by the CLI by either setting CHAINLOOP_TOKEN environment variable or by using the --token flag, for example
chainloop workflow list --token <your-token>
Attestations
API Tokens can be used to perform attestations, the only requirement is that the operator should create a workflow prior to run the attestation and an api token. Example:
$ chainloop attestation init --workflow release-demo-wf --project core --token $API_TOKEN
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At │ 13 May 24 12:23 UTC │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID │ 810472ab-484f-4499-8805-f2024d2b4a47 │
│ Name │ release-demo-wf │
│ Team │ │
│ Project │ core │
│ Contract Revision │ 1 │
└───────────────────┴──────────────────────────────────────┘