Skip to main content
Credentials in Ankra store authentication information for connecting to external services - Helm and container registries, Git providers, and cloud platforms used for cluster provisioning and cost estimation. Credentials are stored securely in HashiCorp Vault and referenced by name when configuring integrations and clusters.

Choose a credential type

Registry

Helm chart and container registries (HTTP and OCI).

Git

GitHub, GitLab, and other Git providers for GitOps.

Hetzner

Hetzner Cloud API token for cluster provisioning.

OVH

OVHcloud application keys and Public Cloud project.

DigitalOcean

DigitalOcean personal access token for droplets and DOKS.

UpCloud

UpCloud subaccount API access for servers and UKS.

AWS

IAM role or access keys for cost, inventory, and EKS.

Google Cloud (GCP)

Read-only service account for cost, discovery, and GKE.

Azure

Service principal for provisioning AKS.

Proxmox VE

Proxmox API URL and token for self-managed clusters.

Morpheus

Morpheus appliance URL and access token.

SSH Key

SSH keys for server access on self-managed clusters.

Compare credential types

CredentialUsed forCLI commandGuide
RegistrySync Helm charts / images from private registries— (UI/API)Registry
GitGitOps configuration sync— (via GitHub App)Git
HetznerProvision Hetzner clustersankra credentials hetznerHetzner
OVHProvision OVH clusters and OVHcloud MKSankra credentials ovhOVH
DigitalOceanProvision droplet clusters and DOKSankra credentials digitaloceanDigitalOcean
UpCloudProvision UpCloud clusters and UKSankra credentials upcloudUpCloud
AWSCost, inventory, and EKS— (UI/API)AWS
Google Cloud (GCP)Cost, discovery, and GKE— (UI/API)GCP
AzureProvision AKS— (portal/API)Azure
Proxmox VEProvision self-managed Proxmox clusters— (UI/API)Proxmox VE
MorpheusProvision self-managed Morpheus clusters— (UI/API)Morpheus
SSH KeyServer access on self-managed clustersankra credentials <provider> ssh-key (Hetzner, OVH, DigitalOcean, UpCloud)SSH Key

Using credentials

Credentials are selected by name where they’re needed:
  • Registries: when adding a Helm registry, pick the registry credential from the dropdown.
  • Clusters: when provisioning or importing a cluster, pick the matching cloud credential (and an SSH key for self-managed clusters).
  • GitOps: the Git connection is used automatically when syncing configuration.

Managing credentials

View credentials

Go to Credentials to see all stored credentials:
  • Name and type
  • Creation date
  • Associated registries and clusters (if any)

Update a credential

  1. Click on the credential name
  2. Update the fields
  3. Click Save
Updating a credential automatically applies to everything using it. No need to reconfigure registries or clusters.

Delete a credential

  1. Go to Credentials
  2. Click the menu (⋮) next to the credential
  3. Select Delete
Deleting a credential will break authentication for anything using it. Update those integrations first.

Security

Storage

Credentials are stored securely using HashiCorp Vault:
  • Encrypted at rest
  • Access controlled per organisation
  • Audit logging for all access

Best practices

Use Tokens, Not Passwords

Prefer access tokens over account passwords. Tokens can be scoped and revoked independently.

Minimum Permissions

Grant only the permissions needed. For chart sync and cost, read-only access is enough.

Rotate Regularly

Rotate credentials periodically, especially for production.

Separate by Environment

Use different credentials for dev, staging, and production.

Troubleshooting

Authentication errors

ErrorCauseSolution
401 UnauthorizedInvalid credentialsVerify username and password/token
403 ForbiddenInsufficient permissionsCheck the token has required scopes
Token expiredTemporary tokens (ECR)Refresh the token
Connection refusedNetwork issueCheck firewall and network access
For provider-specific troubleshooting, see the individual credential pages (for example GCP).

API access

Manage credentials via the Ankra API:
import requests

headers = {"Authorization": f"Bearer {TOKEN}"}

# List credentials
response = requests.get(
    "https://platform.ankra.app/api/v1/credentials",
    headers=headers
)

# Create credential
response = requests.post(
    "https://platform.ankra.app/api/v1/credentials",
    headers=headers,
    json={
        "name": "my-registry-auth",
        "provider": "registry",
        "username": "myuser",
        "password": "mytoken"
    }
)
See the API Reference for complete documentation.