Choose a credential type
Registry
Helm chart and container registries (HTTP and OCI).
Git
GitHub, GitLab, and other Git providers for GitOps.
Hetzner
Hetzner Cloud API token for cluster provisioning.
OVH
OVHcloud application keys and Public Cloud project.
DigitalOcean
DigitalOcean personal access token for droplets and DOKS.
UpCloud
UpCloud subaccount API access for servers and UKS.
AWS
IAM role or access keys for cost, inventory, and EKS.
Google Cloud (GCP)
Read-only service account for cost, discovery, and GKE.
Azure
Service principal for provisioning AKS.
Proxmox VE
Proxmox API URL and token for self-managed clusters.
Morpheus
Morpheus appliance URL and access token.
SSH Key
SSH keys for server access on self-managed clusters.
Compare credential types
| Credential | Used for | CLI command | Guide |
|---|---|---|---|
| Registry | Sync Helm charts / images from private registries | — (UI/API) | Registry |
| Git | GitOps configuration sync | — (via GitHub App) | Git |
| Hetzner | Provision Hetzner clusters | ankra credentials hetzner | Hetzner |
| OVH | Provision OVH clusters and OVHcloud MKS | ankra credentials ovh | OVH |
| DigitalOcean | Provision droplet clusters and DOKS | ankra credentials digitalocean | DigitalOcean |
| UpCloud | Provision UpCloud clusters and UKS | ankra credentials upcloud | UpCloud |
| AWS | Cost, inventory, and EKS | — (UI/API) | AWS |
| Google Cloud (GCP) | Cost, discovery, and GKE | — (UI/API) | GCP |
| Azure | Provision AKS | — (portal/API) | Azure |
| Proxmox VE | Provision self-managed Proxmox clusters | — (UI/API) | Proxmox VE |
| Morpheus | Provision self-managed Morpheus clusters | — (UI/API) | Morpheus |
| SSH Key | Server access on self-managed clusters | ankra credentials <provider> ssh-key (Hetzner, OVH, DigitalOcean, UpCloud) | SSH Key |
Using credentials
Credentials are selected by name where they’re needed:- Registries: when adding a Helm registry, pick the registry credential from the dropdown.
- Clusters: when provisioning or importing a cluster, pick the matching cloud credential (and an SSH key for self-managed clusters).
- GitOps: the Git connection is used automatically when syncing configuration.
Managing credentials
View credentials
Go to Credentials to see all stored credentials:- Name and type
- Creation date
- Associated registries and clusters (if any)
Update a credential
- Click on the credential name
- Update the fields
- Click Save
Updating a credential automatically applies to everything using it. No need to reconfigure registries or clusters.
Delete a credential
- Go to Credentials
- Click the menu (⋮) next to the credential
- Select Delete
Security
Storage
Credentials are stored securely using HashiCorp Vault:- Encrypted at rest
- Access controlled per organisation
- Audit logging for all access
Best practices
Use Tokens, Not Passwords
Prefer access tokens over account passwords. Tokens can be scoped and revoked independently.
Minimum Permissions
Grant only the permissions needed. For chart sync and cost, read-only access is enough.
Rotate Regularly
Rotate credentials periodically, especially for production.
Separate by Environment
Use different credentials for dev, staging, and production.
Troubleshooting
Authentication errors
| Error | Cause | Solution |
|---|---|---|
| 401 Unauthorized | Invalid credentials | Verify username and password/token |
| 403 Forbidden | Insufficient permissions | Check the token has required scopes |
| Token expired | Temporary tokens (ECR) | Refresh the token |
| Connection refused | Network issue | Check firewall and network access |