Using iamctl, you can perform different role-based access control operations in your managed cluster. For example:
Grant or revoke access to a managed cluster and a specific user for troubleshooting
Grant or revoke access to a Mirantis Container Cloud project that contains several managed clusters
Create or delete tokens for the Container Cloud services with a specific set of grants as well as identify when a service token was used the last time
The iamctl command-line interface contains the following set of commands:
The following tables describe the iamctl commands with their descriptions.
Usage |
Description |
|---|---|
iamctl --help, iamctl help |
Output the list of available commands. |
iamctl help <command> |
Output the description of a specific command. |
Usage |
Description |
|---|---|
iamctl account info |
Output detailed account information such as user email, user name, the details of their active and offline sessions, tokens statuses and expiration dates. |
iamctl account login |
Log in the current user. The system prompts to enter your authentication
credentials. After a successful login, your user token is added to the
|
iamctl account logout |
Log out the current user.
Once done, the user information is removed from |
Usage |
Description |
|---|---|
iamctl scope list |
List the IAM scopes available for the current environment. Example output: +---------------+--------------------------+
| NAME | DESCRIPTION |
+---------------+--------------------------+
| m:iam | IAM scope |
| m:kaas | Container Cloud scope |
| m:k8s:managed | |
| m:k8s | Kubernetes scope |
| m:cloud | Cloud scope |
+---------------+--------------------------+
|
iamctl scope list [prefix] |
Output the specified scope list. For example: iamctl m:k8s. |
Usage |
Description |
|---|---|
iamctl role list <scope> |
List the roles for the specified scope in IAM. |
iamctl role show <scope> <role> |
Output the details of the specified scope role including the role name
( |
Usage |
Description |
|---|---|
iamctl grant give [username] [scope] [role] |
Provide a user with a role in a scope. For example, the
iamctl grant give jdoe m:iam admin command provides the IAM
For the list of supported IAM scopes and roles, see: Container Cloud roles and scopes. Note To lock or disable a user, use LDAP or Google OAuth depending on the external provider integrated to your deployment. |
iamctl grant list <username> |
List the grants provided to the specified user. For example: iamctl grant list jdoe. Example output: +--------+--------+---------------+
| SCOPE | ROLE | GRANT FQN |
+--------+--------+---------------+
| m:iam | admin | m:iam@admin |
| m:sl | viewer | m:sl@viewer |
| m:kaas | writer | m:kaas@writer |
+--------+--------+---------------+
|
iamctl grant revoke [username] [scope] [role] |
Revoke the grants provided to the user. |
Usage |
Description |
|---|---|
iamctl servicetoken list [--all] |
List the details of all service tokens created by the current user. The output includes the following service token details:
|
iamctl servicetoken show [ID] |
Output the details of a service token with the specified ID. |
iamctl servicetoken create [alias] [service] [grant1 grants2...] |
Create a token for a specific service with the specified set of grants. For example, iamctl servicetoken create new-token iam m:iam@viewer. |
iamctl servicetoken delete [ID1 ID2...] |
Delete a service token with the specified ID. |
Usage |
Description |
|---|---|
iamctl user list |
List user names and emails of all current users. |
iamctl user show <username> |
Output the details of the specified user. |