Skip to content

[RHACS] [Docs] [rhacs-docs-main] ROX-33164: Fixing DITA errors in configuration/configure-api-token.adoc #112240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
agantony wants to merge 1 commit into
base: rhacs-docs-main
Choose a base branch
from
Open

[RHACS] [Docs] [rhacs-docs-main] ROX-33164: Fixing DITA errors in configuration/configure-api-token.adoc #112240

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion configuration/configure-api-token.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,11 @@ include::modules/common-attributes.adoc[]
toc::[]

[role="_abstract"]
{rh-rhacs-first} requires API tokens for some system integrations, authentication processes, and system functions. You can configure tokens using the {product-title-short} web interface.
{rh-rhacs-first} requires API tokens for some system integrations, authentication processes, and system functions. You can configure tokens by using the {product-title-short} web interface.

include::snippets/note-about-creating-tokens.adoc[]

//Creating an API token
include::modules/create-api-token.adoc[leveloffset=+1]

[role="_additional-resources"]
Expand All @@ -19,4 +20,7 @@ include::modules/create-api-token.adoc[leveloffset=+1]
* xref:../operating/manage-user-access/configure-short-lived-access.adoc#configure-short-lived-access[Configuring short-lived access]
* link:https://github.com/stackrox/contributions/blob/main/guides/cloud-provider-integrations/azure-service-principal-m2m-auth.md[Using Azure Entra ID service principals for machine to machine auth with RHACS]

//About API token expiration
include::modules/about-api-token-expiration.adoc[leveloffset=+1]

include::modules/api-token-expiration-environment-variables.adoc[leveloffset=+2]
24 changes: 2 additions & 22 deletions modules/about-api-token-expiration.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,31 +9,11 @@

You use API tokens in {product-title} ({product-title-short}) for several authentication and access functions, such as API access, CLI access, and authentication. API tokens expire one year from the creation date, and {product-title-short} alerts you when a token expires soon.

{product-title-short} provides notifications in the web interface and by sending log messages to Central when a token will expire in less than one week. The log message process runs once an hour. Once a day, the process lists the tokens that are expiring and creates a log message for each one. Log messages are issued once a day and appear in Central logs.
{product-title-short} provides notifications in the web interface and by sending log messages to Central when a token will expire in less than one week. The log message process runs every hour. The process lists the tokens that are expiring and creates a log message for each one every day. {product-title-short} issues log messages daily and they appear in Central logs.

Logs have the format as shown in the following example:

[source,text]
----
Warn: API Token [token name] (ID [token ID]) will expire in less than X days.
----
You can change the default settings for the log message process by configuring the environment variables shown in the following table:

[cols="1,1,1"]
|===

|Environment variable |Default value |Description

| ROX_TOKEN_EXPIRATION_NOTIFIER_INTERVAL
| 1h (1 hour)
| The frequency at which the log message background loop that lists tokens and creates the logs will run.

| ROX_TOKEN_EXPIRATION_NOTIFIER_BACKOFF_INTERVAL
| 24h (1 day)
| The frequency at which the loop lists tokens and issues notifications.

| ROX_TOKEN_EXPIRATION_DETECTION_WINDOW
| 168h (1 week)
| The time period before expiration of the token that will cause the notification to be generated.

|===
----
31 changes: 31 additions & 0 deletions modules/api-token-expiration-environment-variables.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// Module included in the following assemblies:
//
// * configuration/configure-api-token.adoc

:_mod-docs-content-type: REFERENCE
[id="api-token-expiration-environment-variables_{context}"]
= Configuring API token expiration notification settings

[role="_abstract"]
You can customize the API token expiration notification behavior by configuring environment variables that control the notification frequency and detection window.

You can change the default settings for the log message process by configuring the environment variables shown in the following table:

[cols="1,1,1"]
|===

|Environment variable |Default value |Description

| ROX_TOKEN_EXPIRATION_NOTIFIER_INTERVAL
| 1h (1 hour)
| The frequency at which the log message background loop that lists tokens and creates the logs will run.

| ROX_TOKEN_EXPIRATION_NOTIFIER_BACKOFF_INTERVAL
| 24h (1 day)
| The frequency at which the loop lists tokens and issues notifications.

| ROX_TOKEN_EXPIRATION_DETECTION_WINDOW
| 168h (1 week)
| The time period before expiration of the token that triggers the notification.

|===
3 changes: 3 additions & 0 deletions modules/create-api-token.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@
[id="create-api-token_{context}"]
= Creating an API token

[role="_abstract"]
You can create API tokens for authentication and system integrations through the {product-title-short} portal.

.Procedure

. In the {product-title-short} portal, go to *Platform Configuration* -> *Integrations*.
Expand Down
4 changes: 2 additions & 2 deletions snippets/note-about-creating-tokens.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,6 @@
* To prevent privilege escalation, when you create a new token, your role's permissions limit the permission you can assign to that token. For example, if you only have `read` permission for the Integration resource, you cannot create a token with `write` permission.
* If you want a custom role to create tokens for other users to use, you must assign the required permissions to that custom role.
* Use short-lived tokens for machine-to-machine communication, such as CI/CD pipelines, scripts, and other automation. Also, use the `roxctl central login` command for human-to-machine communication, such as `roxctl` CLI or API access.
* The majority of cloud service providers support OIDC identity tokens, for example, Microsoft Entra ID, Google Cloud Identity Platform, and AWS Cognito. OIDC identity tokens issued by these services can be used for {product-title-short} short-lived access.
* Third-party OIDC identity tokens can also be used directly to access the API endpoint, without an exchange, if a machine-to-machine configuration exists for the token issuer.
* The majority of cloud service providers support OIDC identity tokens, for example, Microsoft Entra ID, Google Cloud Identity Platform, and AWS Cognito. You can use OIDC identity tokens issued by these services for {product-title-short} short-lived access.
* You can also use third-party OIDC identity tokens directly to access the API endpoint, without an exchange, if a machine-to-machine configuration exists for the token issuer.
====