Available IAM CLI commands

Using iamctl, you can perform different role-based access control operations in your managed cluster. For example:

  • Grant or revoke access to a managed cluster and a specific user for troubleshooting

  • Grant or revoke access to a Mirantis Container Cloud project that contains several managed clusters

  • Create or delete tokens for the Container Cloud services with a specific set of grants as well as identify when a service token was used the last time

The iamctl command-line interface contains the following set of commands:

The following tables describe the iamctl commands with their descriptions.

General commands



iamctl --help, iamctl help

Output the list of available commands.

iamctl help <command>

Output the description of a specific command.

Account information commands



iamctl account info

Output detailed account information such as user email, user name, the details of their active and offline sessions, tokens statuses and expiration dates.

iamctl account login

Log in the current user. The system prompts to enter your authentication credentials. After a successful login, your user token is added to the $HOME/.iamctl directory.

iamctl account logout

Log out the current user. Once done, the user information is removed from $HOME/.iamctl.

Scope commands



iamctl scope list

List the IAM scopes available for the current environment.

Example output:

|     NAME      |   DESCRIPTION            |
| m:iam         | IAM scope                |
| m:kaas        | Container Cloud scope    |
| m:k8s:managed |                          |
| m:k8s         | Kubernetes scope         |
| m:cloud       | Cloud scope              |

iamctl scope list [prefix]

Output the specified scope list. For example: iamctl m:k8s.

Role commands



iamctl role list <scope>

List the roles for the specified scope in IAM.

iamctl role show <scope> <role>

Output the details of the specified scope role including the role name (admin, viewer, reader), its description, and an example of the grant command. For example: iamctl role show m:iam admin.

Grant commands



iamctl grant give [username] [scope] [role]

Provide a user with a role in a scope. For example, the iamctl grant give jdoe m:iam admin command provides the IAM admin role in the m:iam scope to John Doe.

For the list of supported IAM scopes and roles, see: Container Cloud roles and scopes.


To lock or disable a user, use LDAP or Google OAuth depending on the external provider integrated to your deployment.

iamctl grant list <username>

List the grants provided to the specified user. For example: iamctl grant list jdoe.

Example output:

| SCOPE  |  ROLE  |   GRANT FQN   |
| m:iam  | admin  | m:iam@admin   |
| m:sl   | viewer | m:sl@viewer   |
| m:kaas | writer | m:kaas@writer |
  • m:iam@admin - admin rights in all IAM-related applications

  • m:sl@viewer - viewer rights in all StackLight-related applications

  • m:kaas@writer - writer rights in Container Cloud

iamctl grant revoke [username] [scope] [role]

Revoke the grants provided to the user.

Service token commands



iamctl servicetoken list [--all]

List the details of all service tokens created by the current user. The output includes the following service token details:

  • ID

  • Alias, for example, nova, jenkins-ci

  • Creation date and time

  • Creation owner

  • Grants

  • Last refresh date and time

  • IP address

iamctl servicetoken show [ID]

Output the details of a service token with the specified ID.

iamctl servicetoken create [alias] [service] [grant1 grants2...]

Create a token for a specific service with the specified set of grants. For example, iamctl servicetoken create new-token iam m:iam@viewer.

iamctl servicetoken delete [ID1 ID2...]

Delete a service token with the specified ID.

User commands



iamctl user list

List user names and emails of all current users.

iamctl user show <username>

Output the details of the specified user.