Skip to main content
Credentials in Ankra store authentication information for connecting to external services like Helm registries, container registries, and Git providers. Credentials are securely stored and can be referenced when configuring integrations.

Credential Types

Registry Credentials

Authenticate with Helm chart registries (HTTP and OCI).

Git Credentials

Connect to GitHub, GitLab, and other Git providers.

Hetzner API Credentials

Authenticate with Hetzner Cloud for cluster provisioning.

OVH API Credentials

Authenticate with OVH Cloud for cluster provisioning.

Google Cloud (GCP) Credentials

Read-only service account for cloud cost estimates and GKE discovery.

SSH Key Credentials

SSH keys for server access on provisioned clusters.

Registry Credentials

Registry credentials authenticate with Helm chart repositories. They’re used when syncing charts from private registries.

Creating a Registry Credential

1

Navigate to Credentials

Go to Credentials in the Ankra dashboard.
2

Add Credential

Click Add and select Registry as the provider type.
3

Enter Details

Name: A unique identifier (e.g., ghcr-auth, harbor-prod) Username: Your registry username Password: Your registry password or access token
4

Save

Click Create to securely store the credential.

Provider-Specific Setup

Create a Personal Access Token:
  1. Go to GitHub → Settings → Developer settings → Personal access tokens
  2. Generate a token with read:packages scope
  3. For pushing charts, also add write:packages
Credential values: Username: Your GitHub username Password: The Personal Access Token
Create a Service Account:
  1. Go to Google Cloud Console → IAM → Service Accounts
  2. Create a new service account
  3. Grant “Artifact Registry Reader” role
  4. Create and download a JSON key
Credential values: Username: _json_key Password: The entire JSON key file contents
Get an auth token:
aws ecr get-login-password-region us-east-1
Credential values: Username: AWS Password: The token from the command above
ECR tokens expire after 12 hours. For production, consider using IAM roles or refresh the token regularly.
Create a Service Principal:
az ad sp create-for-rbac-name ankra-acr-reader \
-scopes /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerRegistry/registries/{registry} \
-role acrpull
Credential values: Username: The appId from the output Password: The password from the output
Create an Access Token:
  1. Go to Docker Hub → Account Settings → Security
  2. Create a new Access Token with Read permissions
Credential values: Username: Your Docker Hub username Password: The Access Token (not your password)
Use a robot account (recommended):
  1. Go to your Harbor project → Robot Accounts
  2. Create a new robot account with pull permissions
Credential values: Username: robot$project+name (the robot account name) Password: The robot account secret
Create an API Key or Access Token:
  1. Go to User Profile → Edit Profile
  2. Generate an API Key or create an Access Token
Credential values: Username: Your Artifactory username Password: The API Key or Access Token

Hetzner API Credentials

Hetzner API credentials store your Hetzner Cloud API token, used when provisioning and managing Hetzner clusters. The token is validated against the Hetzner API on creation.
Don’t have a Hetzner account? Sign up for Hetzner Cloud to get started.

Creating a Hetzner API Credential

1

Get a Hetzner API Token

  1. Log in to the Hetzner Console
  2. Select your project
  3. Go to SecurityAPI Tokens
  4. Click Generate API Token with Read & Write permissions
  5. Copy the token (it’s only shown once)
2

Add to Ankra (UI)

Go to CredentialsAddHetzner, enter a name and paste your API token.
3

Or via CLI

ankra credentials hetzner create-name my-hetzner-token
# You will be securely prompted for the API token

Listing Hetzner Credentials

ankra credentials hetzner list

OVH API Credentials

OVH API credentials store your OVH Cloud application key, application secret, consumer key, and project ID used when provisioning and managing OVH clusters. The credentials are validated against the OVH API on creation.

Creating OVH API Credentials

1

Generate OVH API Credentials

  1. Go to https://api.ovh.com/createToken/
  2. Log in with your OVH account
  3. Set the following permissions: GET, POST, PUT, DELETE on /cloud/project/* GET on /cloud/project
  4. Click Create Keys
  5. Save the Application Key, Application Secret, and Consumer Key
2

Get Your Project ID

  1. Log in to the OVH Control Panel
  2. Go to Public Cloud → select your project
  3. Copy the Project ID from the dashboard URL or project settings
3

Add to Ankra (UI)

Go to CredentialsAddOVH, enter a name, your project ID, and paste your API credentials.
4

Or via CLI

ankra credentials ovh create-name my-ovh-cred-project-id <project-id>
# You will be securely prompted for application key, application secret, and consumer key

Listing OVH Credentials

ankra credentials ovh list

Google Cloud (GCP) Credentials

GCP credentials store a read-only service account key that Ankra uses to estimate the infrastructure cost of your clusters (and, in a future release, to discover GKE clusters). Ankra only ever reads from your project — it requests Google’s read-only OAuth scope and never provisions or modifies resources. The key is validated against the GCP Cloud Resource Manager API when you save it, so an invalid key or a project the service account can’t read is rejected immediately.

What Ankra Accesses

Ankra calls three Google APIs with the service account, all read-only:
APIWhy it’s used
Cloud Resource Manager APIVerify the service account can read the project (the Test connection check)
Cloud Billing APIRead the public Compute Engine price catalog (SKUs) for cost estimates
Compute Engine APIRead machine-type specs (vCPU and memory) to price your nodes

Creating a GCP Credential

1

Enable the required APIs

In the Google Cloud Console, select your project and enable the Cloud Resource Manager API, Cloud Billing API, and Compute Engine API.Or with the gcloud CLI:
gcloud config set project my-gcp-project

gcloud services enable \
  cloudresourcemanager.googleapis.com \
  cloudbilling.googleapis.com \
  compute.googleapis.com
2

Create a read-only service account

  1. Go to IAM & AdminService AccountsCreate service account
  2. Give it a name such as ankra-cost-readonly
  3. Grant it the Viewer role (roles/viewer) on the project — or a custom read-only role
Or with gcloud:
gcloud iam service-accounts create ankra-cost-readonly \
  --display-name="Ankra cost (read-only)"

gcloud projects add-iam-policy-binding my-gcp-project \
  --member="serviceAccount:ankra-cost-readonly@my-gcp-project.iam.gserviceaccount.com" \
  --role="roles/viewer"
3

Create and download a JSON key

  1. Open the service account → KeysAdd keyCreate new key
  2. Choose JSON and download the file
Or with gcloud:
gcloud iam service-accounts keys create ankra-key.json \
  --iam-account=ankra-cost-readonly@my-gcp-project.iam.gserviceaccount.com
The downloaded JSON must contain client_email, private_key, and token_uri.
4

Add to Ankra (UI)

Go to CredentialsAddGoogle Cloud (GCP), then provide:Name: A unique identifier — lowercase letters and numbers only, cannot start with a hyphen (e.g. gcp-prod) Project ID: Your GCP project ID (e.g. my-gcp-project) Service Account Key (JSON): Paste the full contents of the downloaded key fileClick Test connection to verify access, then Add.
The service account only needs read access. Ankra requests Google’s cloud-platform.read-only scope, so even a more privileged key is used read-only.

Troubleshooting GCP Credentials

Test connection resultCauseSolution
The service account key is not valid JSON or is missing required fieldsThe pasted key isn’t the full JSON filePaste the entire downloaded JSON; it must include client_email, private_key, and token_uri
Google rejected the service account credentialsThe key is disabled or deletedConfirm the key is active, or create a new JSON key
The service account lacks read access to this projectMissing IAM role or disabled APIGrant the Viewer role and enable the Cloud Resource Manager API
The project was not foundWrong project IDCheck the Project ID matches your GCP project exactly
Could not reach the GCP Resource Manager APINetwork or connectivity issueRetry; ensure outbound access to *.googleapis.com

SSH Key Credentials

SSH key credentials store public keys that are deployed to servers during cluster provisioning. You can either provide your own public key or let Ankra generate a keypair for you.

Creating an SSH Key Credential

1

Choose an approach

Bring your own key: Provide an existing SSH public key Generate a keypair: Ankra generates a new Ed25519 keypair and returns the private key for you to save
2

Add to Ankra (UI)

Go to CredentialsAddSSH Key, enter a name, and either paste your public key or choose Generate.
3

Or via CLI

# Generate a new keypair (via Hetzner credentials)
ankra credentials hetzner ssh-key create-name my-key-generate

# Generate a new keypair (via OVH credentials)
ankra credentials ovh ssh-key create-name my-key-generate

# Or provide your own public key
ankra credentials hetzner ssh-key create-name my-key \
-public-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5..."
When generating a keypair, the private key is only returned once. Save it immediately to a secure location.

Listing SSH Key Credentials

ankra credentials hetzner ssh-key list

Using Credentials

With Helm Registries

When adding a registry, select the credential to use for authentication:
  1. Go to ChartsRepositoriesAdd
  2. Enter the registry URL
  3. Select the credential from the dropdown
  4. Click Add
Ankra will use the credential when syncing charts from the registry.

With GitOps

Credentials are automatically used when syncing configurations to GitHub repositories connected via OAuth.

Managing Credentials

View Credentials

Go to Credentials to see all stored credentials:
  • Name and type
  • Creation date
  • Associated registries (if any)

Update a Credential

  1. Click on the credential name
  2. Update the username or password
  3. Click Save
Updating a credential automatically applies to all registries using it. No need to reconfigure registries.

Delete a Credential

  1. Go to Credentials
  2. Click the menu (⋮) next to the credential
  3. Select Delete
Deleting a credential will break authentication for any registries using it. Update those registries first.

Security

Storage

Credentials are stored securely using HashiCorp Vault:
  • Encrypted at rest
  • Access controlled per organization
  • Audit logging for all access

Best Practices

Use Tokens, Not Passwords

Prefer access tokens over account passwords. Tokens can be scoped and revoked independently.

Minimum Permissions

Grant only the permissions needed. For chart sync, read-only access is sufficient.

Rotate Regularly

Rotate credentials periodically, especially for production registries.

Separate by Environment

Use different credentials for dev, staging, and production registries.

Troubleshooting

Authentication Errors

ErrorCauseSolution
401 UnauthorizedInvalid credentialsVerify username and password/token
403 ForbiddenInsufficient permissionsCheck the token has required scopes
Token expiredTemporary tokens (ECR)Refresh the token
Connection refusedNetwork issueCheck firewall and network access

Common Issues

“unauthorized: authentication required”
  • The credential wasn’t selected when adding the registry
  • Edit the registry and select the correct credential
“invalid username/password”
  • The token may have been revoked or expired
  • Regenerate the token and update the credential
“permission denied”
  • The token doesn’t have read access to the repository
  • Update the token permissions or use a different account

API Access

Manage credentials via the Ankra API: 
import requests

headers = {"Authorization": f"Bearer {TOKEN}"}

# List credentials
response = requests.get(
    "https://platform.ankra.app/api/v1/credentials",
    headers=headers
)

# Create credential
response = requests.post(
    "https://platform.ankra.app/api/v1/credentials",
    headers=headers,
    json={
        "name": "my-registry-auth",
        "provider": "registry",
        "username": "myuser",
        "password": "mytoken"
    }
)
See the API Reference for complete documentation.