The Tanzu Service Mesh API requires that requests be authenticated. You must use a combination of an API token and an access token to authenticate your calls to the Tanzu Service Mesh API.

Think of API tokens as a form of authentication similar to a username and password. Tokens are scoped within your organization for additional security. You can use an API token to interact with the Tanzu Service Mesh REST API by exchanging it for an access token.

An API token is valid for a time-to-live (TTL) period that you specify when you generate the token. The default period is 6 months. After the specified time, to continue using the Tanzu Service Mesh REST API, you must regenerate the token.

After generating an API token, save the token credentials to a safe place. You can then use the API token to obtain access tokens. You can use an access token only for a single operation and within a short period of time. After the access token expires, you can use the API token to obtain a new access token.

Your API token is scoped within your organization for additional security. Scopes provide a way to control what areas in an organization your token can access, specifically which role in the organization, what services, and the level of permissions.

If you feel that the API token has been compromised, you can revoke the token to prevent any unauthorized access. When you revoke an API token, you lose the ability to perform API calls. However, access tokens obtained from the revoked API token are still valid until their expiration time (30 minutes). You generate a new API token to renew the authorization.

You can regenerate a token at any time. If you regenerate a token, you revoke all instances of the previous token. If you have used the revoked API token, for example, in one of your scripts, you must replace it with the newly generated API token.

For security reasons, after you generate the token, the API Tokens page only displays the name of the token, and not the token credentials. This means that you can no longer reuse the token by copying the credentials from this page.

Prerequisites

Access Tanzu Platform cloud services at https://console.tanzu.broadcom.com/csp/gateway/discovery.

Procedure

  1. Generate an API token.
    1. In the upper-right corner of the Tanzu Platform cloud services console, click your user name and under User Settings, click My Account.
    2. On the My Account page, click the API Tokens tab and click Generate a new API token.
    3. Provide the following information.
      Token Name

      Enter a meaningful name for the token.

      Token TTL

      Specify how long the token is valid. You can set the token to never expire, but this is a security risk.

      Define Scopes

      Define the scopes for the token.

      Under Organization Roles, select Organization Administrator.

      Under Service Roles, expand VMware Tanzu Service Mesh and then select TSM Member.

      Select OpenID.

    4. Click Generate.

      A Token Generated dialog box displays the generated token and specifies when the token expires. You can copy, download, and print the token.

    5. To save the token credentials so you can retrieve them to use later on, click Copy and then paste the token into a file in a safe location.
    6. Click Continue.

    For security reasons, after you generate the token, the API Tokens page displays only the name of the token, and not the token credentials. This prevents a user from reusing the token by copying the credentials from this page.

  2. To set an environment variable for the API token, run the following command.
    export CSP_TOKEN={token}

    Where {token} is the generated API token.

  3. To exchange the API token for an access token, submit the following request.
    curl  --header "Content-Type: application/x-www-form-urlencoded" --header "Accept: application/json" -X POST "https://console-stg.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize?api_token=$CSP_TOKEN"

    Where $CSP_TOKEN is the generated API token from step 2.

    The value of access_token in the response contains the access token.

  4. Use the received access token in the csp-auth-token header in your calls to the Tanzu Service Mesh REST API.