DigitalOcean BYOC Setup
This guide walks you through connecting your own DigitalOcean account to Mengi Cloud as a BYOC (“Bring Your Own Cloud”) credential. When you use BYOC, Mengi provisions and manages a Kubernetes cluster (DigitalOcean Kubernetes, DOKS) inside your own DigitalOcean account, billed directly by DigitalOcean. Mengi only charges a management fee instead of the full infrastructure cost.
You will:
- Generate a personal access token with read & write scopes.
- Store the credential in Mengi Cloud and create a cluster.
The whole process is done in the DigitalOcean Control Panel — no CLI required.
What Mengi creates in your account
When you provision a BYOC cluster, Mengi creates the following in your account:
| Resource | DigitalOcean product |
|---|---|
| A DOKS managed Kubernetes cluster | Kubernetes |
| A default node pool (with optional autoscaling) | Kubernetes / Droplets |
The cluster’s nodes, load balancers and block-storage volumes are created and billed in your account. You can delete everything at any time from the Mengi dashboard (which cleanly tears down the infrastructure) or from the DigitalOcean Control Panel.
DigitalOcean’s managed Kubernetes (DOKS) control plane is free on the basic tier — you pay only for the worker-node Droplets and attached resources.
Required permissions
The personal access token Mengi uses needs read and write access to the Kubernetes API:
| Token scope | Why it’s needed |
|---|---|
kubernetes (read & write) | Create and manage the DOKS cluster and node pool |
The simplest option is a full read & write token. If you prefer a custom (scoped) token, make sure it includes both read and write on Kubernetes.
Note: DigitalOcean tokens are scoped to the whole account/team — there is no per-project token. For the strongest isolation, use a dedicated team.
Prerequisites
- A DigitalOcean account with a valid payment method (DOKS worker nodes incur DigitalOcean charges in your account).
Part 1 — DigitalOcean Control Panel setup
1. Generate a personal access token
- Sign in to the DigitalOcean Control Panel.
- Open API → Tokens → Generate New Token.
- Name it e.g.
mengi-cloud-byoc. - Choose Full Access, or a Custom Scopes token that grants read and write on Kubernetes.
- Click Generate Token.
- Copy the token now — it is shown only once (it starts with
dop_v1_).
You now have the single value Mengi needs:
| Value | Where it came from |
|---|---|
| API Token | The personal access token (shown once) |
No CLI for this step. DigitalOcean’s CLI (
doctl) authenticates with a personal access token (doctl auth init) but cannot mint one — PAT creation is a Control-Panel-only action. So generate the token in the Control Panel as above;doctlis only useful afterwards.
Part 2 — Store the credential in Mengi Cloud
- Sign in to the Mengi Cloud dashboard and open Cloud Credentials from the left-hand menu.
- Click Add Credential.
- Fill in the form:
- Credential Name — any label, e.g.
digitalocean-byoc. - Cloud Provider — select DigitalOcean.
- API Token — paste your
dop_v1_…token.
- Credential Name — any label, e.g.
- Click Add Credential.
The credential is stored encrypted and starts in Pending Validation. Mengi validates it against the DigitalOcean Kubernetes API; once the token checks out the status turns to Ready. If it shows Invalid, re-check that you copied the full token and that it has Kubernetes read & write scope.
Part 3 — Create a BYOC cluster
- Start a new cluster/deployment in the Mengi dashboard.
- Choose DigitalOcean as the provider and select a region (e.g.
nyc1,nyc3,sfo3,tor1,ams3,fra1,lon1,sgp1,blr1,syd1). - Enable Use my own cloud account (BYOC) and select the
digitalocean-byoccredential. - Pick a cluster type — Dedicated (1 node) or Dedicated HA (3 nodes, with SLA) — and create the cluster.
Mengi provisions the DOKS control plane and node pool in your account. The
cluster moves through pending → provisioning → running. Deleting it from Mengi
tears the infrastructure back down in your account.
BYOC is not available on the Development type — those are virtual clusters on Mengi’s own shared host infrastructure. Use Dedicated or Dedicated HA.
Rotating the API token
- In the DigitalOcean Control Panel, generate a new token (Part 1, Step 1).
- In Mengi, edit the
digitalocean-byoccredential, paste the new token, then re-validate. - Once the new token is Ready, delete the old token in the Control Panel.
Revoking access
To cut Mengi off entirely, delete (regenerate or revoke) the token in the DigitalOcean Control Panel. Delete any running BYOC clusters from the Mengi dashboard first so the infrastructure is cleaned up — once the token is gone, Mengi can no longer tear those resources down for you.
Security notes
- The token is shown only once at creation — store it securely and never commit it to version control.
- Prefer a custom-scoped token (Kubernetes read & write only) over a full read/write token where possible.
- Mengi stores BYOC credentials encrypted, not in plaintext.
- Rotate the token periodically.