If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
There are various ways to log into OpenShift.
- Log into OpenShift using a username and password
- Log into OpenShift using a user account token (this article)
- Log into OpenShift using a service account token
AVOID TROUBLE
Before version 4.7 of OpenShift, the oc login command could be used without the -u or --username option. Starting with version 4.7, if the -u or --username option is not included, "you must obtain an API token" will be returned. Refer to How to resolve "you must obtain an API token" on OpenShift.
oc login --username john.doe api.openshift.example.com:6443
If you are authenticated, something like this should be displayed.
Login successful.
You have access to 193 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "default".
Welcome! See 'oc help' to get started.
The oc status command can be used to validate that you are logged in.
~]$ oc status
In project default on server https://api.openshift.example.com:6443
If the /home/your_username/.kube/config file does not exist, it will be created after the first successful log in. Notice in this example that the .kube/config file contain a token, sha256~jNxcSzOKUsRNbRzaYUaSd9Bpcww1KYrueWyJEJ87yAU in this example.
apiVersion: v1
clusters:
- cluster:
server: https://api.openshift.example.com:6443
name: os.example.com:6443
contexts:
- context:
cluster: api.openshift.example.com:6443
namespace: default
user: john.doe
name: default/api.openshift.example.com:6443/john.doe
current-context: default/api.openshift.example.com:6443/john.doe
kind: Config
preferences: {}
users:
- name: john.doe
user:
token: sha256~jNxcSzOKUsRNbRzaYUaSd9Bpcww1KYrueWyJEJ87yAU
Instead of using a username and password, the token can be used. The token can be obtained by attempting to sign in without using the --token or --username options.
~]$ oc login api.openshift.example.com:6443
You must obtain an API token by visiting https://oauth-openshift.apps.openshift.example.com/oauth/token/request
Or you can simply grab the token from your .kube/config file.
And then you can sign in using the --token option.
~]# oc login --token sha256~jNxcSzOKUsRNbRzaYUaSd9Bpcww1KYrueWyJEJ87yAU api.openshift.example.com:6443
Logged into "https://api.openshift.example.com:6443" as "john.doe" using the token provided.
This will update your users /home/username/.kube/config file to have the token.
~]$ tail /home/john.doe/.kube/config
users:
- name: john.doe
user:
token: sha256~rrM4acVDON6pTWguzBYrOgO8Sz-JwuY-BiiAJw7K7lM
Once signed in, the oc whoami command can be used to display your token.
~]# oc whoami --show-token=true
rrM4acVDON6pTWguzBYrOgO8Sz-JwuY-BiiAJw7K7lM
When debugging some issue, you may want to use the --loglevel option.
oc login --token sha256~jNxcSzOKUsRNbRzaYUaSd9Bpcww1KYrueWyJEJ87yAU api.openshift.example.com:6443 --loglevel=6
In this scenario, log level 6 is probably a good starting place, and should return output like this.
I0128 07:06:43.146516 27366 loader.go:375] Config loaded from file: /home/john.doe/.kube/config
I0128 07:06:43.238439 27366 round_trippers.go:443] HEAD https://api.op.example.com:6443/ 403 Forbidden in 90 milliseconds
I0128 07:06:43.238471 27366 request_token.go:86] GSSAPI Enabled
I0128 07:06:43.240481 27366 round_trippers.go:443] GET https://api.op.example.com:6443/.well-known/oauth-authorization-server 200 OK in 1 milliseconds
I0128 07:06:43.258731 27366 request_token.go:447] using system roots as no error was encountered
I0128 07:06:43.288514 27366 round_trippers.go:443] GET https://oauth-openshift.apps.openshift.example.com/oauth/authorize?client_id=openshift-challenging-client&code_challenge=abc123&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.op.example.com%2Foauth%2Ftoken%2Fimplicit&response_type=code 401 Unauthorized in 29 milliseconds
Authentication required for https://api.openshift.example.com:6443 (openshift)
Username: john.doe
Password:
I0128 07:06:49.834683 27366 round_trippers.go:443] GET https://oauth-openshift.apps.op.example.com/oauth/authorize?client_id=openshift-challenging-client&code_challenge=abc123&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.op.example.com%2Foauth%2Ftoken%2Fimplicit&response_type=code 302 Found in 79 milliseconds
I0128 07:06:49.891957 27366 round_trippers.go:443] POST https://oauth-openshift.apps.op.example.com/oauth/token 200 OK in 57 milliseconds
I0128 07:06:49.921048 27366 round_trippers.go:443] GET https://api.op.example.com:6443/apis/user.openshift.io/v1/users/~ 200 OK in 28 milliseconds
Login successful.
Did you find this article helpful?
If so, consider buying me a coffee over at 