From f43fca63ad47b3f86d38c90ab189680f5664f9e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Thu, 20 Feb 2025 12:25:58 +0100 Subject: [PATCH 1/6] roles tokens page merged from original docs --- .../cloud-enterprise/generate-roles-tokens.md | 97 ++++++++++++++++--- 1 file changed, 86 insertions(+), 11 deletions(-) diff --git a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md index 045dcaa01..b63ec08ac 100644 --- a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md +++ b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md @@ -4,22 +4,97 @@ mapped_urls: - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-revoke-roles-token.html --- -# Generate roles tokens +# Manage roles tokens -% What needs to be done: Refine +At the end of the {{ece}} installation process on the first host, you are provided with a roles token. This token can be used to install {{ece}} on additional hosts, but it does not include any role permissions. -% GitHub issue: https://github.com/elastic/docs-projects/issues/339 +You can [assign roles](/deploy-manage/deploy/cloud-enterprise/assign-roles-to-hosts.md) to the additional hosts through the Cloud UI later on, but this role assignment is a manual process. -% Scope notes: merge these two pages +For automation purposes, you need to generate a new *ephemeral* or *persistent* token with the right role permissions, so that you can install {{ece}} on hosts and add the right roles at the same time. -% Use migrated content from existing pages that map to this page: +In this section, you'll learn how to perform the following tasks: -% - [ ] ./raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md -% - [ ] ./raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md +* [](#ece-generate-roles-token) +* [](#ece-revoke-roles-token) -⚠️ **This page is a work in progress.** ⚠️ +## Ephemeral and persistent roles tokens -The documentation team is working to combine content pulled from the following pages: +Ephemeral and persistent tokens differ as follows: -* [/raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md](/raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md) -* [/raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md](/raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md) \ No newline at end of file +Ephemeral token +: Available for use during {{ece}} installation on additional hosts for one hour before the token is revoked automatically. Cannot be revoked manually. + +Persistent token +: Available for use during {{ece}} installation on additional hosts indefinitely. [Can be revoked](../../../deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md) at any time. + +The permitted roles are the same as those you can [assign in the Cloud UI](../../../deploy-manage/deploy/cloud-enterprise/assign-roles-to-hosts.md): + +`allocator` +: Allocates the available computing resources to Elasticsearch nodes or Kibana instances. In larger installations, a majority of the machines will be allocators. + +`coordinator` +: Serves as a distributed coordination system and resource scheduler. + +`proxy` +: Manages communication between a user and an Elasticsearch or Kibana instance. + +`director` +: Manages the ZooKeeper datastore. This role is typically shared with the coordinator role. In production deployments it can be separated from a coordinator. + +## Generate roles tokens [ece-generate-roles-token] + +To generate an ephemeral token for additional allocators: + +```sh +curl -H 'Content-Type: application/json' -u USER:PASSWORD https://COORDINATOR_HOST_IP:12443/api/v1/platform/configuration/security/enrollment-tokens -d '{ "persistent": false, "roles": [ "allocator"] }' +{ + "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI0Njk3N2I3ZC1hM2U2LTQ2MDUtYjcwZC0xNzIzMTI5YWY4ZTQiLCJyb2xlcyI6WyJwcm94eSIsImFsbG9jYXRvciJdLCJpc3MiOiJib290c3RyYXAtaW5pdGlhbCIsImV4cCI6MTQ5MzY0NjIxM30.xsaRb72CsNMuXKy6Y-PJgqLc0qmjCljlB4Smcx_MRxg" +} +``` + +To generate a persistent token for additional allocators: + +```sh +curl -H 'Content-Type: application/json' -u USER:PASSWORD https://COORDINATOR_HOST_IP:12443/api/v1/platform/configuration/security/enrollment-tokens -d '{ "persistent": true, "roles": [ "allocator"] }' +{ + "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI0Yzg5OTBkZi0xZmI3LTQ4MjAtYjg2OC02YmM5ZTg4NjA4MTQiLCJyb2xlcyI6WyJwcm94eSIsImFsbG9jYXRvciJdLCJpc3MiOiJib290c3RyYXAtaW5pdGlhbCJ9.mfTkO4j8uZJ-qwB2jmBuMScyYfLmcJpvKgSTLx2WV24", + "token_id": "4c8990df-1fb7-4820-b868-6bc9e8860814" +} +``` + +## Revoke roles tokens [ece-revoke-roles-token] + +At the end of the {{ece}} installation process on the first host, you are provided with a roles token. You can also generate new roles tokens yourself, either as ephemeral tokens that get deleted after 24 hours or as persistent tokens that get stored by {{ece}}. These tokens enable additional hosts to join an {{ece}} installation and should be kept secure or deleted if they are no longer needed. + +If you delete all tokens and need to add further hosts to your installation later on, you can [generate a new token](../../../deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md) first. + +::::{important} +During installation, an emergency token gets generated that enables you to install {{ece}} on additional hosts with all roles already assigned, except the allocator role. The emergency token can save your installation if all coordinators fail or are removed and you can no longer use the Cloud UI or the RESTful API. You should not delete this token. To learn more, check [Using the Emergency Roles Token](../../../troubleshoot/deployments/cloud-enterprise/use-emergency-roles-token.md). +:::: + +To delete a token: + +1. Retrieve the list of available tokens through the RESTful API : + + ```sh + curl -u USER:PASSWORD https://localhost:12443/api/v1/platform/configuration/security/enrollment-tokens + { + "tokens": [{ + "token_id": "5f9cad2f-c6e7-4ee2-8f6e-53225df45be5", + "roles": [] + }, { + "token_id": "4c8990df-1fb7-4820-b868-6bc9e8860814", + "roles": ["proxy", "allocator"] + }] + } + ``` + +2. Use the token ID to delete the tokens you no longer need, here `4c8990df-1fb7-4820-b868-6bc9e8860814`: + + ```sh + curl -XDELETE -u USER:PASSWORD 'https://localhost:12443/api/v1/platform/configuration/security/enrollment-tokens/4c8990df-1fb7-4820-b868-6bc9e8860814' + { + } + ``` + +3. Optional: To check that the token has been deleted, repeat Step 1 and make sure that the token is no longer listed. From 3608c2695f844319e3f603dbdba2070fcc7f60f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Thu, 20 Feb 2025 12:38:38 +0100 Subject: [PATCH 2/6] applies_to and links updated --- .../deploy/cloud-enterprise/generate-roles-tokens.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md index b63ec08ac..42d717fe3 100644 --- a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md +++ b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md @@ -1,4 +1,7 @@ --- +applies_to: + deployment: + ece: all mapped_urls: - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-generate-roles-token.html - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-revoke-roles-token.html @@ -8,7 +11,7 @@ mapped_urls: At the end of the {{ece}} installation process on the first host, you are provided with a roles token. This token can be used to install {{ece}} on additional hosts, but it does not include any role permissions. -You can [assign roles](/deploy-manage/deploy/cloud-enterprise/assign-roles-to-hosts.md) to the additional hosts through the Cloud UI later on, but this role assignment is a manual process. +You can [assign roles](./assign-roles-to-hosts.md) to the additional hosts through the Cloud UI later on, but this role assignment is a manual process. For automation purposes, you need to generate a new *ephemeral* or *persistent* token with the right role permissions, so that you can install {{ece}} on hosts and add the right roles at the same time. @@ -25,9 +28,9 @@ Ephemeral token : Available for use during {{ece}} installation on additional hosts for one hour before the token is revoked automatically. Cannot be revoked manually. Persistent token -: Available for use during {{ece}} installation on additional hosts indefinitely. [Can be revoked](../../../deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md) at any time. +: Available for use during {{ece}} installation on additional hosts indefinitely. [Can be revoked](./generate-roles-tokens.md) at any time. -The permitted roles are the same as those you can [assign in the Cloud UI](../../../deploy-manage/deploy/cloud-enterprise/assign-roles-to-hosts.md): +The permitted roles are the same as those you can [assign in the Cloud UI](./assign-roles-to-hosts.md): `allocator` : Allocates the available computing resources to Elasticsearch nodes or Kibana instances. In larger installations, a majority of the machines will be allocators. From 44b3e012382a5d00eb4ce503d4c10e901a877adc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Thu, 20 Feb 2025 16:43:09 +0100 Subject: [PATCH 3/6] Update deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md Co-authored-by: kosabogi <105062005+kosabogi@users.noreply.github.com> --- deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md index 42d717fe3..6d47fc1f2 100644 --- a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md +++ b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md @@ -92,7 +92,7 @@ To delete a token: } ``` -2. Use the token ID to delete the tokens you no longer need, here `4c8990df-1fb7-4820-b868-6bc9e8860814`: +2. Use the token ID to delete the tokens you no longer need: `4c8990df-1fb7-4820-b868-6bc9e8860814`: ```sh curl -XDELETE -u USER:PASSWORD 'https://localhost:12443/api/v1/platform/configuration/security/enrollment-tokens/4c8990df-1fb7-4820-b868-6bc9e8860814' From f93589d2bdecc628344d1d363b55a960047c49cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Thu, 20 Feb 2025 16:46:35 +0100 Subject: [PATCH 4/6] links reviewed --- .../deploy/cloud-enterprise/generate-roles-tokens.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md index 6d47fc1f2..adf34ba62 100644 --- a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md +++ b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md @@ -28,7 +28,7 @@ Ephemeral token : Available for use during {{ece}} installation on additional hosts for one hour before the token is revoked automatically. Cannot be revoked manually. Persistent token -: Available for use during {{ece}} installation on additional hosts indefinitely. [Can be revoked](./generate-roles-tokens.md) at any time. +: Available for use during {{ece}} installation on additional hosts indefinitely. [Can be revoked](#ece-revoke-roles-token) at any time. The permitted roles are the same as those you can [assign in the Cloud UI](./assign-roles-to-hosts.md): @@ -69,10 +69,10 @@ curl -H 'Content-Type: application/json' -u USER:PASSWORD https://COORDINATOR_HO At the end of the {{ece}} installation process on the first host, you are provided with a roles token. You can also generate new roles tokens yourself, either as ephemeral tokens that get deleted after 24 hours or as persistent tokens that get stored by {{ece}}. These tokens enable additional hosts to join an {{ece}} installation and should be kept secure or deleted if they are no longer needed. -If you delete all tokens and need to add further hosts to your installation later on, you can [generate a new token](../../../deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md) first. +If you delete all tokens and need to add further hosts to your installation later on, you can [generate a new token](#ece-generate-roles-token) first. ::::{important} -During installation, an emergency token gets generated that enables you to install {{ece}} on additional hosts with all roles already assigned, except the allocator role. The emergency token can save your installation if all coordinators fail or are removed and you can no longer use the Cloud UI or the RESTful API. You should not delete this token. To learn more, check [Using the Emergency Roles Token](../../../troubleshoot/deployments/cloud-enterprise/use-emergency-roles-token.md). +During installation, an emergency token gets generated that enables you to install {{ece}} on additional hosts with all roles already assigned, except the allocator role. The emergency token can save your installation if all coordinators fail or are removed and you can no longer use the Cloud UI or the RESTful API. You should not delete this token. To learn more, check [Using the Emergency Roles Token](/troubleshoot/deployments/cloud-enterprise/use-emergency-roles-token.md). :::: To delete a token: From 99b3fc5677a0804990e4e2fbeed73acbb2f06195 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Thu, 20 Feb 2025 16:49:09 +0100 Subject: [PATCH 5/6] raw content cleaned --- .../ece-generate-roles-token.md | 45 ------------------- .../ece-revoke-roles-token.md | 38 ---------------- raw-migrated-files/toc.yml | 2 - 3 files changed, 85 deletions(-) delete mode 100644 raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md delete mode 100644 raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md diff --git a/raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md b/raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md deleted file mode 100644 index ed2efc2ca..000000000 --- a/raw-migrated-files/cloud/cloud-enterprise/ece-generate-roles-token.md +++ /dev/null @@ -1,45 +0,0 @@ -# Generate roles tokens [ece-generate-roles-token] - -At the end of the Elastic Cloud Enterprise installation process on the first host, you are provided with a roles token. This token can be used to install Elastic Cloud Enterprise on additional hosts, but it does not include any role permissions. [Roles can be assigned](../../../deploy-manage/deploy/cloud-enterprise/assign-roles-to-hosts.md) to the additional hosts through the Cloud UI later on, but this role assignment is a manual process. For automation purposes, you need to generate a new ephemeral or persistent token with the right role permissions, so that you can install Elastic Cloud Enterprise on hosts and add the right roles at the same time. - -Ephemeral and persistent tokens differ as follows: - -Ephemeral token -: Available for use during Elastic Cloud Enterprise installation on additional hosts for one hour before the token is revoked automatically. Cannot be revoked manually. - -Persistent token -: Available for use during Elastic Cloud Enterprise installation on additional hosts indefinitely. [Can be revoked](../../../deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md) at any time. - -The permitted roles are the same as those you can [assign in the Cloud UI](../../../deploy-manage/deploy/cloud-enterprise/assign-roles-to-hosts.md): - -`allocator` -: Allocates the available computing resources to Elasticsearch nodes or Kibana instances. In larger installations, a majority of the machines will be allocators. - -`coordinator` -: Serves as a distributed coordination system and resource scheduler. - -`proxy` -: Manages communication between a user and an Elasticsearch or Kibana instance. - -`director` -: Manages the ZooKeeper datastore. This role is typically shared with the coordinator role. In production deployments it can be separated from a coordinator. - -To generate an ephemeral token for additional allocators: - -```sh -curl -H 'Content-Type: application/json' -u USER:PASSWORD https://COORDINATOR_HOST_IP:12443/api/v1/platform/configuration/security/enrollment-tokens -d '{ "persistent": false, "roles": [ "allocator"] }' -{ - "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI0Njk3N2I3ZC1hM2U2LTQ2MDUtYjcwZC0xNzIzMTI5YWY4ZTQiLCJyb2xlcyI6WyJwcm94eSIsImFsbG9jYXRvciJdLCJpc3MiOiJib290c3RyYXAtaW5pdGlhbCIsImV4cCI6MTQ5MzY0NjIxM30.xsaRb72CsNMuXKy6Y-PJgqLc0qmjCljlB4Smcx_MRxg" -} -``` - -To generate a persistent token for additional allocators: - -```sh -curl -H 'Content-Type: application/json' -u USER:PASSWORD https://COORDINATOR_HOST_IP:12443/api/v1/platform/configuration/security/enrollment-tokens -d '{ "persistent": true, "roles": [ "allocator"] }' -{ - "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI0Yzg5OTBkZi0xZmI3LTQ4MjAtYjg2OC02YmM5ZTg4NjA4MTQiLCJyb2xlcyI6WyJwcm94eSIsImFsbG9jYXRvciJdLCJpc3MiOiJib290c3RyYXAtaW5pdGlhbCJ9.mfTkO4j8uZJ-qwB2jmBuMScyYfLmcJpvKgSTLx2WV24", - "token_id": "4c8990df-1fb7-4820-b868-6bc9e8860814" -} -``` - diff --git a/raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md b/raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md deleted file mode 100644 index e526c7909..000000000 --- a/raw-migrated-files/cloud/cloud-enterprise/ece-revoke-roles-token.md +++ /dev/null @@ -1,38 +0,0 @@ -# Revoke roles tokens [ece-revoke-roles-token] - -At the end of the Elastic Cloud Enterprise installation process on the first host, you are provided with a roles token. You can also generate new roles tokens yourself, either as ephemeral tokens that get deleted after 24 hours or as persistent tokens that get stored by Elastic Cloud Enterprise. These tokens enable additional hosts to join an Elastic Cloud Enterprise installation and should be kept secure or deleted if they are no longer needed. - -If you delete all tokens and need to add further hosts to your installation later on, you can [generate a new token](../../../deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md) first. - -::::{important} -During installation, an emergency token gets generated that enables you to install Elastic Cloud Enterprise on additional hosts with all roles already assigned, except the allocator role. The emergency token can save your installation if all coordinators fail or are removed and you can no longer use the Cloud UI or the RESTful API. You should not delete this token. To learn more, check [Using the Emergency Roles Token](../../../troubleshoot/deployments/cloud-enterprise/use-emergency-roles-token.md). -:::: - - -To delete a token: - -1. Retrieve the list of available tokens through the RESTful API : - - ```sh - curl -u USER:PASSWORD https://localhost:12443/api/v1/platform/configuration/security/enrollment-tokens - { - "tokens": [{ - "token_id": "5f9cad2f-c6e7-4ee2-8f6e-53225df45be5", - "roles": [] - }, { - "token_id": "4c8990df-1fb7-4820-b868-6bc9e8860814", - "roles": ["proxy", "allocator"] - }] - } - ``` - -2. Use the token ID to delete the tokens you no longer need, here `4c8990df-1fb7-4820-b868-6bc9e8860814`: - - ```sh - curl -XDELETE -u USER:PASSWORD 'https://localhost:12443/api/v1/platform/configuration/security/enrollment-tokens/4c8990df-1fb7-4820-b868-6bc9e8860814' - { - } - ``` - -3. Optional: To check that the token has been deleted, repeat Step 1 and make sure that the token is no longer listed. - diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index f642eae75..809319b6d 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -40,7 +40,6 @@ toc: - file: cloud/cloud-enterprise/ece-create-deployment.md - file: cloud/cloud-enterprise/ece-delete-deployment.md - file: cloud/cloud-enterprise/ece-find.md - - file: cloud/cloud-enterprise/ece-generate-roles-token.md - file: cloud/cloud-enterprise/ece-getting-started-node-js.md - file: cloud/cloud-enterprise/ece-getting-started-python.md - file: cloud/cloud-enterprise/ece-getting-started-search-use-cases-beats-logstash.md @@ -60,7 +59,6 @@ toc: - file: cloud/cloud-enterprise/ece-restful-api-examples-configuring-keystore.md - file: cloud/cloud-enterprise/ece-restore-across-clusters.md - file: cloud/cloud-enterprise/ece-restore-deployment.md - - file: cloud/cloud-enterprise/ece-revoke-roles-token.md - file: cloud/cloud-enterprise/ece-secure-clusters-kerberos.md - file: cloud/cloud-enterprise/ece-secure-clusters-oidc.md - file: cloud/cloud-enterprise/ece-securing-clusters-ad.md From 4ae332f757a2df39b900e85e0309b20cab23ddd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Thu, 20 Feb 2025 21:23:12 +0100 Subject: [PATCH 6/6] unneeded links removed --- .../deploy/cloud-enterprise/generate-roles-tokens.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md index adf34ba62..5c5160b65 100644 --- a/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md +++ b/deploy-manage/deploy/cloud-enterprise/generate-roles-tokens.md @@ -15,10 +15,10 @@ You can [assign roles](./assign-roles-to-hosts.md) to the additional hosts throu For automation purposes, you need to generate a new *ephemeral* or *persistent* token with the right role permissions, so that you can install {{ece}} on hosts and add the right roles at the same time. -In this section, you'll learn how to perform the following tasks: +This section covers the different types of tokens and the following tasks: -* [](#ece-generate-roles-token) -* [](#ece-revoke-roles-token) +* [Generate roles tokens](#ece-generate-roles-token) +* [Revoke roles tokens](#ece-revoke-roles-token) ## Ephemeral and persistent roles tokens @@ -28,7 +28,7 @@ Ephemeral token : Available for use during {{ece}} installation on additional hosts for one hour before the token is revoked automatically. Cannot be revoked manually. Persistent token -: Available for use during {{ece}} installation on additional hosts indefinitely. [Can be revoked](#ece-revoke-roles-token) at any time. +: Available for use during {{ece}} installation on additional hosts indefinitely. Can be revoked at any time. The permitted roles are the same as those you can [assign in the Cloud UI](./assign-roles-to-hosts.md): @@ -69,7 +69,7 @@ curl -H 'Content-Type: application/json' -u USER:PASSWORD https://COORDINATOR_HO At the end of the {{ece}} installation process on the first host, you are provided with a roles token. You can also generate new roles tokens yourself, either as ephemeral tokens that get deleted after 24 hours or as persistent tokens that get stored by {{ece}}. These tokens enable additional hosts to join an {{ece}} installation and should be kept secure or deleted if they are no longer needed. -If you delete all tokens and need to add further hosts to your installation later on, you can [generate a new token](#ece-generate-roles-token) first. +If you delete all tokens and need to add more hosts to your installation, you should generate a new token first. ::::{important} During installation, an emergency token gets generated that enables you to install {{ece}} on additional hosts with all roles already assigned, except the allocator role. The emergency token can save your installation if all coordinators fail or are removed and you can no longer use the Cloud UI or the RESTful API. You should not delete this token. To learn more, check [Using the Emergency Roles Token](/troubleshoot/deployments/cloud-enterprise/use-emergency-roles-token.md).