Create/revoke agent tokens on cmd line

[philon123]

To automate adding and removing agents, I would like to generate and revoke agent tokens in bash.

Looking at the api spec, the authentication mechanism only supports user/pass or JWT (received by loggin in with user/pass). A great third option would be to authenticate using an activation token.

Alternatively, or additionally, the cachix cmd line app could also have support for this built in. THe interface could be for example:

# create agent token
> cachix agent-create {workspace} {description} {expiration}
eqrnw3r2pign2pwign2piwgng..

# and revert
> cachix agent-revoke {workspace} {description}
ok

[philon123]

here is the script I am using to create agent tokens automatically. Maybe it will help someone with the same goal, or at least it will provide context on why I am asking for a builtin feature:

# load cachix creds, log in to cachix, and save the JWT cookie
cachixCredsFile="./.cachix_creds.txt"
if [ ! -f $cachixCredsFile ]; then
    echo "Cachix creds needed in file '.cachix_creds.txt' for cachix API. They should look like '{"email": "abc@d.e", "password": "pr1vate"}'"
    exit 1
fi
curl -c /tmp/cookie -X POST https://app.cachix.org/api/v1/login -H "Content-Type: application/json" -d "@${cachixCredsFile}"

# generate a new agent token for the host, process the result
newAgentToken=$(curl -b /tmp/cookie -s -X POST https://app.cachix.org/api/v1/token -H "Content-Type: application/json" -d @- <<EOF
{
    "cacheName": null,
    "description": "${name}",
    "expiresOn": null,
    "isAgentToken": true,
    "permission": "Admin",
    "workspaceSlug": "gda"
}
EOF
)
newAgentToken=$(echo "$newAgentToken" | tr -d '"') # strip the quotes from token

# check if server response was really the token or some error. Tokens start with "ey"
if [[ ! $newAgentToken == ey* ]]; then
    echo "error generating agent token. Cachix response: $newAgentToken"
    exit 1
fi

# write the token to new secret file and encrypt it
echo "agent_token: $newAgentToken" > $cachixSecretsFile

[philon123]

update, thanks to @domenkozar for the support. It is indeed already possible to authenticate to the API via auth token. Here is the above example but using auth token. Note that doing it via cmd line would still be much easier. And also, the API response could be nicer to parse by using a standard json response object like {"result": "blabla", "error": "402: payment needed"}

# load cachix auth token
cachixAuthTokenFile="./.cachix_auth_token.txt"
if [ ! -f $cachixAuthTokenFile ]; then
    echo "Cachix auth token needed in file '.cachix_auth_token.txt'"
    exit 1
fi
cachixAuthToken=$(cat $cachixAuthTokenFile)

# generate a new agent token for the host, process the result
# api docs: https://app.cachix.org/api/v1/#/
newAgentToken=$(curl -s -X POST https://app.cachix.org/api/v1/token -H "Content-Type: application/json" -H "Authorization: Bearer ${cachixAuthToken}" -d @- <<EOF
{
    "cacheName": null,
    "description": "${name}",
    "expiresOn": null,
    "isAgentToken": true,
    "permission": "Admin",
    "workspaceSlug": "gda"
}
EOF
)
newAgentToken=$(echo "$newAgentToken" | tr -d '"') # strip the quotes from token

# check if server response was really the token or some error. Tokens start with "ey"
if [[ ! $newAgentToken == ey* ]]; then
    echo "error generating agent token. Cachix response: $newAgentToken"
    exit 1
fi