Rotate SideroLink Join Token
This guide shows you how to rotate SideroLink join tokens.
Join tokens is the secret used to authenticate Talos machines gRPC requests when they establish WireGuard tunnel connection.
If the token is compromised it can be revoked and replaced with the new one.
Conditions that Make Token Rotation Possible
When a machine connects to Omni the first time it uses a shared join token. Omni creates a unique, ephemeral token for each machine and when Talos is installed that token is persisted to disk. If the shared token is revoked, machines that have persisted unique tokens will stay connected but machines with ephemeral or shared tokens will be disconnected.
Talos < 1.6 doesn't support unique tokens.
If Omni is started with --join-tokens-mode=legacy
unique node tokens are not generated for any machines. So rotating the join tokens is not possible.
First, click the "Join Tokens" section button in the sidebar. Next, click the "Create Join Token" button on the right.


Give the token a name and click "Create Join Token" button.

If the token that you are going to revoke is the default one, mark the new token as default.

Revoke the old token. Paying attention to the warnings.
If the token is rotated ignoring the warnings, the machines in the list might get disconnected after the first restart of Omni or the machine

If it is safe to rotate the token, Omni will show green check mark and the message.
Click Revoke.

You can copy the new token and start using it.
Last updated