Skip to main content
Credentials in Ankra store authentication information for connecting to external services like Helm registries, container registries, and Git providers. Credentials are securely stored and can be referenced when configuring integrations.

Credential Types

Registry Credentials

Authenticate with Helm chart registries (HTTP and OCI).

Git Credentials

Connect to GitHub, GitLab, and other Git providers.

Hetzner API Credentials

Authenticate with Hetzner Cloud for cluster provisioning.

OVH API Credentials

Authenticate with OVH Cloud for cluster provisioning.

SSH Key Credentials

SSH keys for server access on provisioned clusters.

Registry Credentials

Registry credentials authenticate with Helm chart repositories. They’re used when syncing charts from private registries.

Creating a Registry Credential

1

Navigate to Credentials

Go to Credentials in the Ankra dashboard.
2

Add Credential

Click Add and select Registry as the provider type.
3

Enter Details

Name: A unique identifier (e.g., ghcr-auth, harbor-prod) Username: Your registry username Password: Your registry password or access token
4

Save

Click Create to securely store the credential.

Provider-Specific Setup

Create a Personal Access Token:
  1. Go to GitHub → Settings → Developer settings → Personal access tokens
  2. Generate a token with read:packages scope
  3. For pushing charts, also add write:packages
Credential values: Username: Your GitHub username Password: The Personal Access Token
Create a Service Account:
  1. Go to Google Cloud Console → IAM → Service Accounts
  2. Create a new service account
  3. Grant “Artifact Registry Reader” role
  4. Create and download a JSON key
Credential values: Username: _json_key Password: The entire JSON key file contents
Get an auth token:
aws ecr get-login-password-region us-east-1
Credential values: Username: AWS Password: The token from the command above
ECR tokens expire after 12 hours. For production, consider using IAM roles or refresh the token regularly.
Create a Service Principal:
az ad sp create-for-rbac-name ankra-acr-reader \
-scopes /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerRegistry/registries/{registry} \
-role acrpull
Credential values: Username: The appId from the output Password: The password from the output
Create an Access Token:
  1. Go to Docker Hub → Account Settings → Security
  2. Create a new Access Token with Read permissions
Credential values: Username: Your Docker Hub username Password: The Access Token (not your password)
Use a robot account (recommended):
  1. Go to your Harbor project → Robot Accounts
  2. Create a new robot account with pull permissions
Credential values: Username: robot$project+name (the robot account name) Password: The robot account secret
Create an API Key or Access Token:
  1. Go to User Profile → Edit Profile
  2. Generate an API Key or create an Access Token
Credential values: Username: Your Artifactory username Password: The API Key or Access Token

Hetzner API Credentials

Hetzner API credentials store your Hetzner Cloud API token, used when provisioning and managing Hetzner clusters. The token is validated against the Hetzner API on creation.

Creating a Hetzner API Credential

1

Get a Hetzner API Token

  1. Log in to the Hetzner Console
  2. Select your project
  3. Go to SecurityAPI Tokens
  4. Click Generate API Token with Read & Write permissions
  5. Copy the token (it’s only shown once)
2

Add to Ankra (UI)

Go to CredentialsAddHetzner, enter a name and paste your API token.
3

Or via CLI

ankra credentials hetzner create-name my-hetzner-token
# You will be securely prompted for the API token

Listing Hetzner Credentials

ankra credentials hetzner list

OVH API Credentials

OVH API credentials store your OVH Cloud application key, application secret, consumer key, and project ID used when provisioning and managing OVH clusters. The credentials are validated against the OVH API on creation.

Creating OVH API Credentials

1

Generate OVH API Credentials

  1. Go to https://api.ovh.com/createToken/
  2. Log in with your OVH account
  3. Set the following permissions: GET, POST, PUT, DELETE on /cloud/project/* GET on /cloud/project
  4. Click Create Keys
  5. Save the Application Key, Application Secret, and Consumer Key
2

Get Your Project ID

  1. Log in to the OVH Control Panel
  2. Go to Public Cloud → select your project
  3. Copy the Project ID from the dashboard URL or project settings
3

Add to Ankra (UI)

Go to CredentialsAddOVH, enter a name, your project ID, and paste your API credentials.
4

Or via CLI

ankra credentials ovh create-name my-ovh-cred-project-id <project-id>
# You will be securely prompted for application key, application secret, and consumer key

Listing OVH Credentials

ankra credentials ovh list

SSH Key Credentials

SSH key credentials store public keys that are deployed to servers during cluster provisioning. You can either provide your own public key or let Ankra generate a keypair for you.

Creating an SSH Key Credential

1

Choose an approach

Bring your own key: Provide an existing SSH public key Generate a keypair: Ankra generates a new Ed25519 keypair and returns the private key for you to save
2

Add to Ankra (UI)

Go to CredentialsAddSSH Key, enter a name, and either paste your public key or choose Generate.
3

Or via CLI

# Generate a new keypair (via Hetzner credentials)
ankra credentials hetzner ssh-key create-name my-key-generate

# Generate a new keypair (via OVH credentials)
ankra credentials ovh ssh-key create-name my-key-generate

# Or provide your own public key
ankra credentials hetzner ssh-key create-name my-key \
-public-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5..."
When generating a keypair, the private key is only returned once. Save it immediately to a secure location.

Listing SSH Key Credentials

ankra credentials hetzner ssh-key list

Using Credentials

With Helm Registries

When adding a registry, select the credential to use for authentication:
  1. Go to ChartsRepositoriesAdd
  2. Enter the registry URL
  3. Select the credential from the dropdown
  4. Click Add
Ankra will use the credential when syncing charts from the registry.

With GitOps

Credentials are automatically used when syncing configurations to GitHub repositories connected via OAuth.

Managing Credentials

View Credentials

Go to Credentials to see all stored credentials:
  • Name and type
  • Creation date
  • Associated registries (if any)

Update a Credential

  1. Click on the credential name
  2. Update the username or password
  3. Click Save
Updating a credential automatically applies to all registries using it. No need to reconfigure registries.

Delete a Credential

  1. Go to Credentials
  2. Click the menu (⋮) next to the credential
  3. Select Delete
Deleting a credential will break authentication for any registries using it. Update those registries first.

Security

Storage

Credentials are stored securely using HashiCorp Vault:
  • Encrypted at rest
  • Access controlled per organization
  • Audit logging for all access

Best Practices

Use Tokens, Not Passwords

Prefer access tokens over account passwords. Tokens can be scoped and revoked independently.

Minimum Permissions

Grant only the permissions needed. For chart sync, read-only access is sufficient.

Rotate Regularly

Rotate credentials periodically, especially for production registries.

Separate by Environment

Use different credentials for dev, staging, and production registries.

Troubleshooting

Authentication Errors

ErrorCauseSolution
401 UnauthorizedInvalid credentialsVerify username and password/token
403 ForbiddenInsufficient permissionsCheck the token has required scopes
Token expiredTemporary tokens (ECR)Refresh the token
Connection refusedNetwork issueCheck firewall and network access

Common Issues

“unauthorized: authentication required”
  • The credential wasn’t selected when adding the registry
  • Edit the registry and select the correct credential
“invalid username/password”
  • The token may have been revoked or expired
  • Regenerate the token and update the credential
“permission denied”
  • The token doesn’t have read access to the repository
  • Update the token permissions or use a different account

API Access

Manage credentials via the Ankra API: 
import requests

headers = {"Authorization": f"Bearer {TOKEN}"}

# List credentials
response = requests.get(
    "https://platform.ankra.app/api/v1/credentials",
    headers=headers
)

# Create credential
response = requests.post(
    "https://platform.ankra.app/api/v1/credentials",
    headers=headers,
    json={
        "name": "my-registry-auth",
        "provider": "registry",
        "username": "myuser",
        "password": "mytoken"
    }
)
See the API Reference for complete documentation.