Rancher/Cattle Token Detector
Overview
- Service: Rancher Kubernetes Management Platform
- Risk: CRITICAL - Full cluster admin access
- Users: 37,000+ organizations
Token Format
Pattern
(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[\w]*\s*[=:]\s*["\']?([a-z0-9]{54,64})["\']?Structure
- Length: 54-64 characters (typically 54)
- Characters: Lowercase letters + digits only
[a-z0-9]
- No special chars: No hyphens, underscores, uppercase
Example (fake)
jswpl27hs8pd88rmw2mgfgrjtpljp85fd5v7rhdwr2s6z22hvt6vjt
Where Users Get Tokens
- Rancher UI: User Avatar → "Account & API Keys" → "Create API Key"
- Bootstrap Password:
docker logs rancher-container | grep "Bootstrap Password"
- Direct URL:
https://[rancher-server]/apikeys
Validation
Endpoint: GET {CATTLE_SERVER}/v3
Header: Authorization: Bearer {token}
Success: HTTP 200 with JSON containing "apiVersion"
Failure: HTTP 401
curl -k -H "Authorization: Bearer ${TOKEN}" https://rancher.example.com/v3Common Variable Names
CATTLE_TOKEN
CATTLE_BOOTSTRAP_PASSWORD
RANCHER_TOKEN
RANCHER_API_TOKEN
RANCHER_SECRET_KEY
Detection Strategy
⚠️ IMPORTANT: Pattern [a-z0-9]{54,64} alone has HIGH false positives!
Recommended: Only detect when:
- Found in variable named
CATTLE_TOKEN, RANCHER_TOKEN, etc.
- OR found within 500 chars of
CATTLE_SERVER or RANCHER_URL
- AND has high entropy (Shannon > 4.0)
Example Detections
✅ Should Detect
# .env file
CATTLE_SERVER=https://rancher.example.com
CATTLE_TOKEN=jswpl27hs8pd88rmw2mgfgrjtpljp85fd5v7rhdwr2s6z22hvt6vjt
# Kubernetes deployment
env:
- name: CATTLE_TOKEN
value: k7mnp9qr4st2vwx8yz3abc5def1ghi6jkl0mno8pqr2stu4vwx9yz# Terraform
provider "rancher2" {
token_key = "xz9yw8vt7sr6qp5on4ml3kj2ih1gf0ed9cb8az7yx6wv5ut4sr3qp"
}❌ Should NOT Detect (no context)
# Random string without Rancher context
random_data = "abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuv"
Impact if Leaked
- Deploy malicious containers
- Access all Kubernetes secrets (DB passwords, API keys)
- Create/delete clusters
- Modify RBAC policies
- Execute commands in any pod
- Persistent backdoor access
TruffleHog Config
detector:
name: RancherToken
severity: CRITICAL
pattern:
regex: '(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[\w]*\s*[=:]\s*["\']?([a-z0-9]{54,64})["\']?'
capture_group: 1
validation:
requires_context: CATTLE_SERVER
endpoint: "{CATTLE_SERVER}/v3"
method: GET
headers:
- name: Authorization
value: "Bearer {SECRET}"
success:
status_code: 200
body_contains: "apiVersion"
failure:
status_codes: [401, 403]References
Rancher/Cattle Token Detector
Overview
Token Format
Pattern
Structure
[a-z0-9]Example (fake)
Where Users Get Tokens
docker logs rancher-container | grep "Bootstrap Password"https://[rancher-server]/apikeysValidation
Endpoint:
GET {CATTLE_SERVER}/v3Header:
Authorization: Bearer {token}Success: HTTP 200 with JSON containing
"apiVersion"Failure: HTTP 401
curl -k -H "Authorization: Bearer ${TOKEN}" https://rancher.example.com/v3Common Variable Names
Detection Strategy
[a-z0-9]{54,64}alone has HIGH false positives!Recommended: Only detect when:
CATTLE_TOKEN,RANCHER_TOKEN, etc.CATTLE_SERVERorRANCHER_URLExample Detections
✅ Should Detect
# .env file CATTLE_SERVER=https://rancher.example.com CATTLE_TOKEN=jswpl27hs8pd88rmw2mgfgrjtpljp85fd5v7rhdwr2s6z22hvt6vjt❌ Should NOT Detect (no context)
Impact if Leaked
TruffleHog Config
References