Managing cloud credentials using pxctl


In this document, we are going to show how to manage your cloud credentials using pxctl.

The cloud provider credentials are stored in an external secret store. Before you use the commands from below, you should configure a secret provider of your choice with Portworx. For more information, head over to the Key Management page.


You can use the pxctl credentials command to create, list, validate, or delete your cloud credentials. Then, Portworx will use these credentials, for example, to back up your volumes to the cloud.

Enter the pxctl credentials --help command to display the list of subcommands:

/opt/pwx/bin/pxctl credentials --help
Manage credentials for cloud providers

  pxctl credentials [flags]
  pxctl credentials [command]

  credentials, cred

Available Commands:
  create      Create a credential for cloud providers
  delete      Delete a credential for cloud
  list        List all credentials for cloud
  validate    Validate a credential for cloud

  -h, --help   help for credentials

Global Flags:
      --ca string        path to root certificate for ssl usage
      --cert string      path to client certificate for ssl usage
      --color            output with color coding
      --config string    config file (default is $HOME/.pxctl.yaml)
      --context string   context name that overrides the current auth context
  -j, --json             output in json
      --key string       path to client key for ssl usage
      --raw              raw CLI output for instrumentation
      --ssl              ssl enabled for portworx

Use "pxctl credentials [command] --help" for more information about a command.

List credentials

To list all configured credentials, use this command:

pxctl credentials list
S3 Credentials
ffffffff-ffff-ffff-1111-ffffffffffff		us-east-1		AAAAAAAAAAAAAAAAAAAA		false		false

Azure Credentials
ffffffff-ffff-ffff-ffff-ffffffffffff		portworxtest		false

Create and configure credentials

You can create and configure credentials in multiple ways depending on your cloud provider and how you want to manage them.

Create credentials on AWS by specifying your keys

Enter the pxctl credentials create command, specifying:

  • The --provider flag with the name of the cloud provider (s3).
  • The --s3-access-key flag with your secret access key
  • The s3-secret-key flag with your access key ID
  • The s3-region flag with the name of the S3 region (us-east-1)
  • The --s3-endpoint flag with the name of the endpoint (
  • The name of your cloud credentials
pxctl credentials create \
  --provider s3 \
  --s3-access-key <YOUR-SECRET-ACCESS-KEY>
  --s3-secret-key <YOUR-ACCESS-KEY-ID> \
  --s3-region us-east-1 \
  --s3-endpoint \
Credentials created successfully
Note: This command will create a bucket with the Portworx cluster ID to use for the backups.

Delete existing credentials

To delete a particular set of credentials, you can run pxctl credentials delete with the uuid or the name as parameters like this:

pxctl credentials delete <uuid or name>
Credential deleted successfully
Don’t forget to replace <uuid or name> with the actual uuid or name of the credentials you want to delete.

Validate credentials

If you want to validate a set of credentials for a particular cloud provider, run the following:

pxctl credentials validate <uuid or name>
Credential validated successfully
Don’t forget to replace <uuid or name> with the actual uuid or name of the credentials you want to delete.
  • For information about integrating Portworx with Kubernetes Secrets, refer to the Kubernetes Secrets page.

Last edited: Tuesday, Jun 23, 2020