CLI Authentication
Authenticate kubeadapt with your API key using interactive login, environment variables, or command-line flags. Includes CI/CD pipeline setup.
kubeadapt authenticates to the Kubeadapt API using a Bearer token. Generate an API key from the Kubernetes cost dashboard at app.kubeadapt.io, then store it in the config file, pass it as an environment variable, or supply it inline with flags.
Login
Run auth login to store your API key:
kubeadapt auth loginThe command prompts for your API key (input is hidden). You can skip the prompt by passing the key directly:
kubeadapt auth login --api-key ka_your_key --api-url https://public-api.kubeadapt.ioCredentials are saved to ~/.kubeadapt/config.yaml with 0600 permissions (owner read/write only). The directory is created with 0700 permissions if it doesn't exist.
The --api-url flag on auth login sets the API URL in the saved config. If you omit it, the URL defaults to http://localhost:8002. For production use, always pass --api-url https://public-api.kubeadapt.io.
Check status
To see the currently stored credentials:
kubeadapt auth statusThe API key is masked in the output. You'll see something like:
API URL: https://public-api.kubeadapt.io
API Key: ka_y...r_keyLogout
To remove the stored API key from the config file:
kubeadapt auth logoutThis clears the api_key field in ~/.kubeadapt/config.yaml. The file itself is not deleted.
Using environment variables
For CI/CD pipelines or scripts where you don't want to write a config file, set KUBEADAPT_API_KEY and KUBEADAPT_API_URL as environment variables. See Configuration: Environment variables for the full reference.
export KUBEADAPT_API_KEY=ka_your_key
export KUBEADAPT_API_URL=https://public-api.kubeadapt.io
kubeadapt get clustersUsing flags
You can pass credentials directly on any command with --api-key and --api-url:
kubeadapt --api-key ka_your_key --api-url https://public-api.kubeadapt.io get clustersWhen the same setting appears in multiple places, flags take precedence over environment variables, which take precedence over the config file. See Configuration: Precedence for the full resolution order.
GitHub Actions example
- name: Check pending savings
env:
KUBEADAPT_API_KEY: ${{ secrets.KUBEADAPT_API_KEY }}
KUBEADAPT_API_URL: https://public-api.kubeadapt.io
run: |
kubeadapt get recommendations --status pending -o jsonStore KUBEADAPT_API_KEY in your repository's encrypted secrets. Never hardcode API keys in workflow files.
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
401 Unauthorized | Invalid or expired API key | Regenerate at app.kubeadapt.io and run auth login again |
connection refused | Wrong API URL or network issue | Check auth status and verify --api-url points to https://public-api.kubeadapt.io |
permission denied on config file | File permissions too open | Run chmod 0600 ~/.kubeadapt/config.yaml |