Configure your access tokens for Supply Chain Security Tools - Store

This topic describes how to configure your access tokens for Supply Chain Security Tools - Store.

The access token is a Bearer token used in the http request header Authorization. For example, Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjhMV0....

Service accounts are required to have associated access tokens. Before Kubernetes 1.24, service accounts generated access tokens automatically. Since Kubernetes 1.24, a secret must be applied manually.

By default, Supply Chain Security Tools - Store includes a read-write service account installed with an access token generated. This service account is cluster-wide. If you want to create your own service accounts, see Create Service Accounts.

Setting the Access Token

When using the insight plug-in, you must set the METADATA_STORE_ACCESS_TOKEN environment variable, or use the --access-token flag. VMware discourages using the --access-token flag as the token appears in your shell history.

The following command retrieves the access token from the default metadata-store-read-write-client service account and stores it in METADATA_STORE_ACCESS_TOKEN:

export METADATA_STORE_ACCESS_TOKEN=$(kubectl get secrets metadata-store-read-write-client -n metadata-store -o jsonpath="{.data.token}" | base64 -d)

Additional Resources

• Retrieve access tokens
• Create service accounts
• Create a service account with a custom cluster role