Creating an EIM User Using OKS

You can manage dedicated EIM users to access selected resources hosted in the technical accounts running your OKS clusters. These users are created with predefined roles, allowing access to specific resource types such as volumes or snapshots.

Because OKS is a managed Kubernetes service, you do not have direct access to the underlying infrastructure such as the control plane or worker nodes. When you create a user, access keys are generated and can be used to log in to Cockpit. From there, you can view the resources associated with the assigned role and perform actions such as creating new resources or deleting existing ones.

These users are not general-purpose EIM users. Each user is associated with one predefined role, which grants access to a specific type of resource such as volumes or snapshots on the Cockpit platform.

The following procedure describes how to create EIM user roles.

Creating an EIM User Using OKS CLI

Before you begin: Install and configure OKS CLI. For more information, see Installing and Configuring OKS CLI.

The user create command allows you to create an EIM user:

Request sample
$ oks-cli user create \
    --profile "default" \
    --project-name NAME_OF_PROJECT \
    --user OKSSnapshotsManager \
    --ttl 1H \
    --nacl \
    --output json

This command contains the following options that you need to specify:

  • (optional) profile-name: The name of the profile that you want to use to create your EIM user.

  • project-name: The name of the project in which the EIM user is created. The EIM user is scoped to this project.

  • user: The user role to create. Possible values are:

    • OKSVolumesManager: Grants permissions to monitor volumes.

    • OKSSnapshotsManager: Grants permissions to monitor volume snapshots.

      You can create one of each per project.

  • (optional) ttl: Specifies the lifetime (Time-To-Live) of the generated access key, after which they expire and can no longer be used. If not specified, a default value of 7 days is applied.

    We strongly advise using this option to limit the validity period of access keys and reduce the risk of compromised credentials.

  • (optional) nacl: Applies end-to-end encryption to the returned AK/SK, adding an additional security layer.

  • (optional) output: The output format for the response (json | yaml). By default, the response format is JSON.

The user create command returns the following elements:

  • UserName: The name of the predefined role selected when creating the user. Returned values are either OKSVolumesManager or OKSSnapshotsManager.

  • AccessKeys: Information about the generated access key, including:

    • AccessKeyId: The ID of the access key.

    • SecretKey: The ID of the secret key.

      You must securely store the access key. The secret key is only returned once at creation time and cannot be retrieved later.

    • State: The status of the access key.

    • CreationDate: Date and time when the access key was created, in ISO 8601 format.

    • ExpirationDate: Date and time when the access key expires, in ISO 8601 format.

Result sample
{
    "UserName": "OKSSnapshotsManager",
    "AccessKeys": [
        {
            "AccessKeyId": "ACCESS_KEY_ID",
            "SecretKey": "SECRET_KEY_ID",
            "State": "ACTIVE",
            "CreationDate": "2026-04-15T09:27:41.138+0000",
            "ExpirationDate": "2026-04-15T10:27:40.878+0000"
        }
    ]
}

You can now log into Cockpit using the returned AK/SK.

Related Pages

Corresponding API Method

Export to PDF