Skip to content

Whoops! I deleted the InfluxD Operator Token

When you first install InfluxDB, if you head over to the API Tokens tab under “Load Data”, you’ll find an API token called something like “admin’s token”.

This key is known as an Operator Token, it grants full read and write access to all resources across all organisations in InfluxDB. An Operator Token is effectively a Linux Root equivalent, and has higher privileges than an “All-Access” token.

All-Access tokens can only make modifications to a specific organisation. An Operator token can do the same, but for everything.

Now, let’s say you’re like me and have unknowingly deleted this token (I thought it wasn’t required, but turns out you need it to make extra users). Let’s go about recovering that.

Starting from Scratch

You may be in a case where your influx-cli is unconfigured, which will make things difficult for searching up ID’s for users and orgs later on in this post. Let’s just quickly nail that one now.

Head on over to the Web GUI of your InfluxDB server, navigate to the “Load Data” page and select “API Tokens”.

Here, let’s create generate an “All Access Token”. Click that plus (+) icon at the top right of the page and give the token a name, like admin-cli. Once that’s done, we can add it to our influx-cli config. Open the ~/.influxdbv2/configs file in your preferred editor.

[influx-server_admin-cli]
    url = "http://influx.localdomain:8086"
    token = "[...]oXT5j[...]"
    org = "my-organisation"
    active = true

From here, if we type influx config list, we should see this new config.

[email protected]:~$ influx config list
Active  Name                       URL                              Org
*       influx-server_admin-cli    http://influx.localdomain:8086   my-organisation

Gathering our Information

Recovering this Operator Token is relatively straight forward, only caveat is that you need to stop the InfluxD server, which means you will stop collecting events. Though realistically you’ll only need to stop it for a minute or two anyway to execute the commands.

You should at least have one user, commonly known as “Admin”. We’re going to create an Operator Token for this user. Let’s prepare our command.

First, we need locate our InfluxD bolt file. By default this is ~/.influxdbv2/influx.bolt but depending on who you run this command as, it may not execute as you’d expect. Let’s look for our bolt files.

[email protected]:~$ sudo updatedb
[email protected]:~$ locate influxd.bolt
/var/lib/influxdb/influxd.bolt

That looks like it, your results may vary. We’ll note that one down.

[email protected]:~$ export INFLUXD_BOLT=/var/lib/influxdb/influxd.bolt

Let’s double check which user we’re going to use to create an Operator Token. This user needs to exist, InfluxD reccovery will not create one for you.

[email protected]:~$ influx user list
ID                      Name
09076321bc352000        admin
[email protected]:~$ export INFLUXD_USER=admin

I’ve only got Admin here, so I’m going to use that. We also need to specify our organisation, so let’s list those and select one.

[email protected]:~$ influx org list
ID                      Name
a9b9db8ee3e984aa        rajchert.net
[email protected]:~$ export INFLUXD_ORG=rajchert.net

That’s it! Let’s create an Operator Token

Creating an Operator Token

Using the information we collected above, we’re going to:

  1. Stop the InfluxD service
  2. Create the Operator Token
  3. Start the InfluxD service
[email protected]:~$ sudo systemctl stop influxd.service
[email protected]:~$ sudo influxd recovery auth create-operator \
--bolt-path $INFLUXD_BOLT \
--org $INFLUXD_ORG
--username $INFLUXD_USER
[email protected]:~$ sudo systemctl start influxd.service

And with that, in no time at all you should have a new Operator Token called “$INFLUXD_USER’s Recovery Token”. Feel free to change the name of this.

Saving Config to Influx-CLI

When you execute commands using influx-cli, you must authenticate against the Influx server. Let’s add the token we’ve just generated to our config.

Config is stored at ~/.influxdbv2/configs by default. If you have a look at this file you’ll see some commented out examples. Lets add ours:

# [us-west]
#   url = "https://us-west-2-1.aws.cloud2.influxdata.com"
#   token = "XXX"
#   org = ""
[influx-server]
    url = "http://my-influx-server.localdomain:8086"
    token = "[...]xDd76aKb[...]"
    org = "my-organisation"
    active = true

Once saved, if you list your configs it should appear and be active!

[email protected]:~$ influx config list
Active  Name            URL                                            Org
*       influx-server   http://my-influx-server.localdomain:8086       my-organisation

Using our new Operator Token

Let’s create a new user. This can be done with influx-cli.

[email protected]:~$ influx user create \
--name joebloggs \
--password ExAmPl3PA55W0rD \
--org myOrganisation

Once this is executed, a new user should be created instantly!

More about Influx-CLI

You can learn more about the Influx Command Line Interface by reading the reference manual here.

Leave a Reply

Your email address will not be published. Required fields are marked *