Migrate from token flow to key flow authentication

This guide helps you migrate STACKIT service account access tokens from token flow to key flow. Follow these steps to prepare for upcoming changes and keep your services secure.

Plan your token migration

Identify where you use service account access tokens. This helps you plan the migration.

1. Get a complete overview of every service that uses service account access tokens.
2. Estimate the effort required to update each implementation.
3. Create a schedule for rolling out changes to production environments.

If your migration will not be finished by 17 December 2025, renew your current service account access tokens by 16 December 2025 at the latest.

Update your authentication

Update your authentication method.

1. Choose a secure authentication method:
   • If migrating to Workload Identity Federation, configure the required Federated Identity Provider to link your service account to an external OIDC issuer.
   • If migrating to key flow, create a key for each service account (if not already created). See the guide on how to create a key.
2. Choose an implementation method for each application. STACKIT offers:
   • CLI application: Use the command-line tool to obtain a short-lived token or complete a task without writing your own code or scripts.
   • SDKs: Use the Go or Python SDKs to acquire tokens programmatically.
   • Manual implementation: Manually implement token acquisition by following this guide.
3. Test the new implementation in development and test environments.
4. Deploy to production after tests succeed.

Finalise the process

After migration is complete, delete long-lived service account access tokens in the STACKIT Portal.