Skip to main content
Version: 3.19 (latest)

Authentication quickstart

Big picture

Get started quickly with our default token authentication to log in to Calico Enterprise Manager UI and Kibana.


Authentication defaults

Token authentication is the default authentication option for Calico Enterprise Manager. When a service account is created, an associated secret is created that contains a signed bearer token for that service account. Just copy the token for the service account in to the Manager UI and log in.

Use basic login for the default Kibana root user.

The default login methods are always available at:

  • Calico Enterprise Manager: https://<host>:<port>/login/token.
  • Kibana: https://<host>:<port>/tigera-kibana/login.

Before you begin

Make sure you have installed Calico Enterprise using one of the installation guides and have set up access to the Manager UI.

How to


For OpenShift, replace kubectl with oc in the following commands.

Log in to Calico Enterprise Manager

First, create a service account in the desired namespace:

kubectl create sa <user> -n <namespace>

Give the service account permissions to access the Calico Enterprise Manager UI, and a Calico Enterprise cluster role:

kubectl create clusterrolebinding <binding_name> --clusterrole <role_name> --serviceaccount <namespace>:<service_account>


  • binding_name is a descriptive name for the rolebinding.
  • role_name is one of the default cluster roles (or a custom cluster role) specifying Calico Enterprise UI permissions.
  • namespace is the service account's namespace.
  • service_account is the service account that the permissions are being associated with.

For example, the following command gives the service account, jane in the default namespace network admin permissions:

kubectl create clusterrolebinding jane-access --clusterrole tigera-network-admin --serviceaccount default:jane

Next, create a login token for the service account.

Using the running example of a service account named, jane in the default namespace:

kubectl create token jane --duration=24h

The token created above will expire after 24 hours.

Now that you have the token, log in to the Calico Enterprise UI and submit the token.


Log in to Kibana

Connect to Kibana with the elastic username. Use the following command to decode the password:

kubectl -n tigera-elasticsearch get secret tigera-secure-es-elastic-user -o go-template='{{.data.elastic | base64decode}}' && echo

Once logged in, you can configure users and their privileges from the settings page.

Additional resources