Changing the cluster administrator access credentials

You can update the cluster administrator username and password.

Required user type or access level: Cluster administrator

Before you begin

Adding new user to Platform UI

Complete the following steps to rename a default admin user in Platform UI:

Changing the cluster administrator username

Run the following commands to change the cluster administrator username.

  1. Run the cloudctl login command from any node that has access to your cluster.

  2. Run cloudctl token to get IAM access token.

    Note: When you use cloudctl tokens, you see the generated tokens. Keep a copy of the tokens. Do not run cloudctl logout command as it revokes the token.

    Use the following command to get platform UI token by using IAM token.

    curl -k X GET '<Zen-url>/v1/preauth/validateAuth' \
    -H "username: admin" \
    -H "iam-token: <iam-token>""

    It is valid only when Platform UI (ibm-zen-operator) service is installed.

  3. Use cloudctl to change your username and to restart deployments. For example:

    cloudctl pm update-secret ibm-common-services platform-auth-idp-credentials -d admin_username=<username>
  4. Update the clusterrolebinding role-based access control (RBAC) object with the new username.

    kubectl edit clusterrolebinding oidc-admin-binding

    Following is a sample clusterrolebinding RBAC object:

    Please edit the following object. Lines beginning with a '#' will be ignored,
    # and an empty file will abort the edit. If an error occurs while saving this file will be
    # reopened with the relevant failures.
    kind: ClusterRoleBinding
      creationTimestamp: 2019-02-04T18:44:34Z
      name: oidc-admin-binding
      resourceVersion: "3162"
      selfLink: /apis/
      uid: eab9c9c9-28ac-11e9-aca2-0050569a1e29
      kind: ClusterRole
      name: cluster-admin
    - apiGroup:
      kind: User
      name: https://mycluster.icp:8443/oidc/endpoint/OP#admin        <===========
    - apiGroup:
      kind: User
      name: admin                                                    <===========
  5. Replace the admin name in https://mycluster.icp:8443/oidc/endpoint/OP#admin with the new name. Change OP#admin to OP#<new admin user name>.

  6. Replace the admin name in name: admin with the new name. Change name: admin to name: <new admin user name>.

  7. Save the file.

Adding Platform UI user by using the Platform UI token

Use the following command to add new user to Platform UI:

curl --location --request POST 'https://ZEN_URL/usermgmt/v1/user'
--header 'Authorization: Bearer ZEN_TOKEN'
--header 'Content-Type: application/json'
--data-raw '{
"username": "",
"displayName": "UserFirstName UserLastName",
"email": "",
"user_roles": [

Disable the default admin after you add new user to Platform UI. For more information, see Disabling the default admin user.

Changing the cluster administrator password

The cluster administrator password is stored in a Kubernetes Secret. cloudctl has a command to change the password and restart services that use the password.

To change your password run the following command:

cloudctl pm update-secret kube-system platform-auth-idp-credentials -d admin_password

The password must follow the defined password rules.

Password rules

Password rules are optional, regular expressions (regex) that are used to set and validate managed password values within a namespace. The update-secret command checks password rules before changing the values in the secret. It validates if rules exist on the namespace that the secret is in, and that the secret data element name change contains pass or pwd in any case combination.

Note: You can use the following regex expressions from the command line. Ensure that you wrap the expressions in single quotation marks:

Table 1. List of rules for Regex expressions
Rule Regex
Min length 10 ^.{10,}
Max length 10 ^.{0,10}$
Length range ^.{10,20}$
Require lower .*[a-z].*
Require upper .*[A-Z].*
Require num .*[0-9].*
Require spec .*[!@#\$%\^&\*].*

To list the password rules, run the following command:

cloudctl pm password-rules <namespace>

The rules are listed similar to the following example,

cloudctl pm password-rules default

Name   Description        Regex
min10  minimum length 10  ^.{10,}

If you want to change the password rules, you can run the following command:

cloudctl pm password-rule-set <namespace> <rule_name> <rule_regex> <rule_desc>

For example,

cloudctl pm password-rule-set default min_10 '^.{10,}' "minimum length of 10"

If you need to remove the password rule, run the following command:

cloudctl pm password-rule-rm <namespace> <rule_name>

For example,

cloudctl pm password-rule-rm default min_10