The argocd account command manages user account settings, including passwords, tokens, and permissions.
Quick Examples # List all accounts argocd account list # Update current user's password argocd account update-password # Check permissions argocd account can-i sync applications '*' # Get user information argocd account get-user-info
Subcommands list List all user accounts.
# List all accounts argocd account list # List as JSON argocd account list -o json # List as YAML argocd account list -o yaml
Output: NAME ENABLED CAPABILITIES admin true login, apiKey ci-user true apiKey read-only true login
get Get account details.
# Get specific account argocd account get admin # Get current account argocd account get-user-info # Get as JSON argocd account get admin -o json
Output: Name: admin Enabled: true Capabilities: login, apiKey Tokens: 3
get-user-info Get information about the currently logged-in user.
# Get current user info argocd account get-user-info # Get as JSON argocd account get-user-info -o json
Output: Logged In as: admin Iss: argocd Sub: admin Groups: admin-group Capabilities: login, apiKey
This shows:
Current username
JWT issuer
JWT subject
SSO groups (if applicable)
Available capabilities
update-password Update account password.
Interactive
Non-Interactive
Update Other User
Update password with prompts: argocd account update-password
You’ll be prompted: *** Enter current password: *** Enter new password: *** Confirm new password: Password updated
Update password from command line: argocd account update-password \ --current-password oldpass123 \ --new-password newpass456
Admin can update another user’s password: argocd account update-password \ --account ci-user \ --new-password newpass789
Key Flags: Account name (admins only, updates another user)
Current password (required unless admin)
Strong passwords are recommended. Use at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols.
generate-token Generate authentication token for an account.
# Generate token for current account argocd account generate-token # Generate token for specific account argocd account generate-token --account ci-user # Generate with expiration argocd account generate-token --expires-in 90d # Generate with ID for identification argocd account generate-token --id github-actions # Generate for project role argocd account generate-token \ --account proj:my-project:ci-cd \ --expires-in 180d \ --id jenkins
Key Flags: Account name or project role (format: proj:PROJECT:ROLE)
Token expiration (e.g., 24h, 30d, 1y). Defaults to no expiration
Token identifier for easy identification
Output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhcmdvY2QiLCJzdWIiOiJhZG1pbjpsb2dpbiIsIm5iZiI6MTYzOTU4NjQwMCwiaWF0IjoxNjM5NTg2NDAwLCJqdGkiOiJnaXRodWItYWN0aW9ucyJ9.abc123def456
Save the token securely. It cannot be retrieved later, only regenerated.
Using Generated Tokens # Save token to environment variable TOKEN = $( argocd account generate-token --account ci-user ) export ARGOCD_AUTH_TOKEN = $TOKEN # Use with CLI argocd app list --auth-token $TOKEN --server cd.example.com # Use with API curl -H "Authorization: Bearer $TOKEN " \ https://cd.example.com/api/v1/applications
list-tokens List authentication tokens for an account (requires account name).
# List tokens for specific account argocd account get admin # Note: Use project role commands for detailed token listing argocd proj role list-tokens my-project ci-cd
delete-token Delete an authentication token.
# Delete token by ID argocd account delete-token 1234567890 # Delete for specific account argocd account delete-token --account ci-user 9876543210 # For project roles argocd proj role delete-token my-project ci-cd 1234567890
Key Flags: Account name or project role
can-i Check if the current user has permission to perform an action.
# Check application sync permission argocd account can-i sync applications '*' # Check specific application argocd account can-i sync applications 'my-project/my-app' # Check cluster permissions argocd account can-i create clusters '*' # Check repository permissions argocd account can-i update repositories '*' # Check project permissions argocd account can-i get projects '*'
Syntax: argocd account can-i < actio n > < resourc e > [object]
Common Actions:
get - View resourcescreate - Create new resourcesupdate - Modify existing resourcesdelete - Remove resourcessync - Synchronize applicationsoverride - Override parametersaction - Execute resource actions
Common Resources:
applications - Argo CD applicationsapplicationsets - ApplicationSetsclusters - Cluster credentialsrepositories - Repository connectionsprojects - Projectsaccounts - User accountscertificates - TLS certificatesgpgkeys - GPG keys
Output: or
bcrypt Generate bcrypt hash for a password.
# Generate bcrypt hash argocd account bcrypt --password mySecurePassword123 # Or with prompt argocd account bcrypt
Output: $2a$10$rRyBsGSHK6.uc8fntPwVIuLVHgsAhAX7TcdrqW/XhLkqGnJ8J6UBS
This hash can be used in the argocd-cm ConfigMap for local user definitions.
Account Management Local Users vs SSO Argo CD supports two types of users:
Local Users : Defined in argocd-cm ConfigMapSSO Users : Authenticated via OIDC/SAML
Managing Local Users Local users are defined in the argocd-cm ConfigMap:
apiVersion : v1 kind : ConfigMap metadata : name : argocd-cm namespace : argocd data : # Add local users accounts.alice : apiKey, login accounts.bob : apiKey accounts.ci-user : apiKey
Capabilities:
login - Can log in via UI/CLIapiKey - Can generate API tokens
Then set passwords in argocd-secret:
# Generate password hash PASSWORD_HASH = $( argocd account bcrypt --password alicePassword123 ) # Update secret kubectl patch secret argocd-secret -n argocd \ -p '{"stringData": { "accounts.alice.password": "' $PASSWORD_HASH '" }}'
Common Workflows First-Time Setup # 1. Get initial admin password argocd admin initial-password # 2. Login argocd login cd.example.com --username admin # 3. Update admin password argocd account update-password # 4. Verify update argocd account get-user-info
Create Service Account for CI/CD # 1. Create local user in argocd-cm kubectl patch configmap argocd-cm -n argocd --type merge \ -p '{"data":{"accounts.ci-deployer":"apiKey"}}' # 2. Generate password hash PASSWORD_HASH = $( argocd account bcrypt --password secure-ci-password ) # 3. Set password in secret kubectl patch secret argocd-secret -n argocd \ -p '{"stringData":{"accounts.ci-deployer.password":"' $PASSWORD_HASH '"}}' # 4. Restart Argo CD server to apply changes kubectl rollout restart deployment argocd-server -n argocd # 5. Wait for rollout kubectl rollout status deployment argocd-server -n argocd # 6. Login as new user argocd login cd.example.com --username ci-deployer # 7. Generate token TOKEN = $( argocd account generate-token --account ci-deployer --expires-in 365d --id github-actions ) echo "CI/CD Token: $TOKEN " echo "Save this token securely!"
After creating a user, configure permissions in argocd-rbac-cm:
apiVersion : v1 kind : ConfigMap metadata : name : argocd-rbac-cm namespace : argocd data : policy.csv : | # Grant ci-deployer sync permissions p, ci-deployer, applications, sync, */*, allow p, ci-deployer, applications, get, */*, allow # Grant alice admin permissions on specific project p, alice, applications, *, my-project/*, allow # Grant bob read-only access p, bob, applications, get, */*, allow p, bob, clusters, get, *, allow
Rotate CI/CD Token # 1. List existing tokens argocd account get ci-deployer # 2. Generate new token NEW_TOKEN = $( argocd account generate-token \ --account ci-deployer \ --expires-in 365d \ --id github-actions-2024 ) # 3. Update CI/CD system with new token echo "New token: $NEW_TOKEN " # 4. Delete old token after confirming new one works argocd account delete-token --account ci-deployer < old-token-i d >
Audit User Permissions #!/bin/bash # audit-permissions.sh USERS = ( "admin" "alice" "bob" "ci-deployer" ) ACTIONS = ( "get" "sync" "delete" "update" "create" ) RESOURCES = ( "applications" "clusters" "repositories" "projects" ) for user in "${ USERS [ @ ]}" ; do echo "=== Permissions for $user ===" for resource in "${ RESOURCES [ @ ]}" ; do echo " $resource :" for action in "${ ACTIONS [ @ ]}" ; do result = $( argocd account can-i $action $resource '*' 2>&1 ) if [[ $result == "yes" ]]; then echo " ✓ $action " fi done done echo "" done
Temporary Access Token # Generate short-lived token for external contractor TEMP_TOKEN = $( argocd account generate-token \ --account contractor \ --expires-in 7d \ --id contractor-temp-access ) echo "Temporary token (expires in 7 days): $TEMP_TOKEN " # Send token securely to contractor # Token will automatically expire after 7 days
Security Best Practices
Strong Passwords : Use at least 12 characters with complexityToken Expiration : Always set expiration for tokens (e.g., 90d)Token IDs : Use descriptive IDs to track token usageRegular Rotation : Rotate tokens every 90 daysPrinciple of Least Privilege : Grant minimum required permissionsAudit Logs : Monitor account usage via Argo CD audit logsSSO Preferred : Use SSO instead of local users for human accessService Accounts : Use dedicated accounts for automationRemove Unused Accounts : Delete or disable accounts no longer neededSecure Token Storage : Store tokens in secrets managers (Vault, etc.) Troubleshooting Password Issues # Reset admin password (requires Kubernetes access) kubectl delete secret argocd-initial-admin-secret -n argocd kubectl rollout restart deployment argocd-server -n argocd # Get new initial password argocd admin initial-password # Update to custom password argocd account update-password
Token Not Working # Verify token is valid argocd account get-user-info --auth-token $TOKEN # Check token permissions argocd account can-i get applications '*' --auth-token $TOKEN # Regenerate token if expired NEW_TOKEN = $( argocd account generate-token --account ci-user )
Permission Denied # Check current permissions argocd account can-i sync applications '*' # Verify RBAC configuration kubectl get configmap argocd-rbac-cm -n argocd -o yaml # Check if account exists argocd account list # Get user info argocd account get-user-info
Account Not Found # Verify account exists in ConfigMap kubectl get configmap argocd-cm -n argocd -o yaml | grep accounts # Restart server after adding account kubectl rollout restart deployment argocd-server -n argocd
Environment Variables Authentication token to use instead of login
Default username for authentication
Default password for authentication (not recommended)
Next Steps
CLI Overview Learn about authentication and configuration
Admin Commands Administrative operations