API key expiration

Hello, is there an expiration of API Keys?

Hi @jpjacquez , nope

Thanks r00ta, is there a best practices on how to rotate those?

Iā€™m wondering how to implement like a bearer token that expires to prevent an attack.

you can manage your tokens with the api, see https://maas.io/docs/api under Operations ā†’ logged-in user.

thanks r00ta, i saw this before and its using the apikey which is manually generated.
so to recap, the only way is to automated some sort of dynamic token is to generate the apikey regularlly like $ maas apikey --username --generate, then from there generate the token correct?

At the moment yes, you can also manage the tokens of the logged-in user by calling /MAAS/api/2.0/account/op-create_authorisation_token , /MAAS/api/2.0/account/op-delete_authorisation_token and /MAAS/api/2.0/account/op-list_authorisation_tokens.

We are currently working on a new set of API that will use bearer tokens, but it will take time before we will release them. However, just an headsup for the future

thanks r00ta, I appreciate your input on this.

About the future bearer-token implementation, would it be done through the MAAS integration with vault? Like the one mentioned in How to use Vault to protect your MAAS secrets

nope, vault is just an opt-in service to keep the secrets. The new bearer-token authentication will work also with MAAS in standalone mode


thanks @r00ta, appreciate your input.