Revoking User or Access Token Access

As a workspace owner, you can immediately revoke access for users or access tokens in your workspace.

• Users get access by assuming roles or accessing a cluster.
• Workspace and Platform Access Tokens get access when users assign roles to them. In addition, workspace access tokens get access when the developer switches the access token to enabled during the application deployment process.

View or revoke user access

You can see which users currently have permissions to access clusters in your workspace by viewing live sessions. A live session starts when a user has requested access permissions by running either of these commands:

• wf assume
• wf access namespace
• wf access env
• wf deploy app
• wf deploy component

As a workspace owner, you can then revoke any live session if needed.

To view or revoke live sessions: CLI

1. List all live sessions in your workspace:

   wf sessions --all

   NAME                                                               ROLE               CLUSTER      NAMESPACE                   USER               EXPIRES AT              AGE
   namespace.admin.aks-opdar.azure-demo-app-test-env5.name.tahh9dx    namespace.admin    aks-opdar    azure-demo-app-test-env5    name@appvia.io     2023-04-20T17:11:13Z    93m

2. To revoke access, find the username whose access you want to revoke in the USER column, and then delete the session using the value in the NAME column:

   wf sessions NAME --revoke

   The session name is the assumption policy associated with that user's assumed role session.

To view or revoke live sessions in Wayfinder's web interface

1. Select Workspaces, then navigate to Workspace settings > Live sessions.

   This page shows all live sessions on all clouds for your workspace, including:

   • Session name
   • Subject - the username of the user who has access in this session
   • Role - the role this user has assumed
   • Cluster/Namespace - the cluster and namespace being accessed
   • Expires - the amount of time left on this session to access the cluster
   • Session status

2. To revoke access, find the username whose access you want to revoke, and then click the Revoke access button for that username.

View or revoke an Access Token's access

You can remove an Access Token's access in two ways:

• Remove the Access Token all together
• Remove a particular access right from the Access Token

You can see what access an Access Token has in your workspace by listing the policies for the role(s) assigned to that Access Token. As a workspace owner, you can then revoke the Access Token's access by deleting the relevant assignment policy. For more information, see Access Tokens.

To delete the Workspace Access Token:

wf delete workspaceaccesstoken TOKEN-NAME

To keep the workspace Access Token, but revoke the Access Token's access:

You can revoke the assignment policy as follow:

• Get the assignment policy for the access token you want:

  wf get accessrolebindings --workspace-access-token TOKEN-NAME

  ➜  ~ wf get accessrolebindings --workspace-access-token azure-demo-app.test-env5.deploy
  NAME                                                           STATUS     AGE
  azure-demo-app.test-env5.deploy-cluster.deployment-readonly    Success    17h
  azure-demo-app.test-env5.deploy-namespace.deployment           Success    17h

• To revoke the Access Token's access, delete its assignment policy (in the NAME column):

  wf delete accessrolebindings --workspace-access-token TOKEN-NAME

  wf delete accessrolebinding azure-demo-app.test-env5.deploy-namespace.deployment