Hetzner BYOC Setup
This guide walks you through connecting your own Hetzner Cloud account to Mengi Cloud as a BYOC (“Bring Your Own Cloud”) credential. When you use BYOC, Mengi provisions and manages a Kubernetes cluster inside your own Hetzner Cloud project, billed directly by Hetzner. Mengi only charges a management fee instead of the full infrastructure cost.
You will:
- Create a dedicated project in the Hetzner Cloud Console.
- Generate a Read & Write API token for that project.
- Store the credential in Mengi Cloud and create a cluster.
The whole process is done in the Hetzner Cloud Console — no CLI required.
What Mengi creates in your project
When you provision a BYOC cluster, Mengi creates the following in your chosen project:
| Resource | Hetzner product |
|---|---|
| A private network and subnet | Networks |
| Control-plane and worker nodes | Servers |
| A NAT gateway for outbound traffic | Servers |
| A load balancer for the cluster | Load Balancers |
| An SSH key for emergency access | SSH Keys |
The servers, load balancer and volumes are created and billed in your project. You can delete everything at any time from the Mengi dashboard (which cleanly tears down the infrastructure) or from the Hetzner Cloud Console.
Unlike the managed-Kubernetes providers, Hetzner has no managed control plane — the Kubernetes control plane runs on servers in your project, so there is no separate control-plane fee; you pay only for the servers.
Required permissions
Hetzner Cloud API tokens are scoped to a single project and have one of two permission levels. Mengi needs:
| Token permission | Why it’s needed |
|---|---|
| Read & Write | Create and manage networks, servers, the load balancer and SSH keys |
Least privilege: A Hetzner token can only touch the one project it was created in. Dedicate a project to Mengi so the token can never affect resources in your other projects.
Prerequisites
- A Hetzner Cloud account with a valid payment method (servers and load balancers incur Hetzner charges in your project).
Part 1 — Hetzner Cloud Console setup
1. Create a dedicated project
A separate project keeps Mengi’s resources isolated and makes the token easy to scope and revoke.
- Sign in to the Hetzner Cloud Console.
- From the project list, click + New project.
- Name it e.g.
mengi-byocand open it.
2. Generate an API token
- Inside the
mengi-byocproject, open Security → API tokens → Generate API token. - Add a description like “Mengi Cloud BYOC”.
- Set the permission to Read & Write.
- Click Generate API token.
- Copy the token now — it is shown only once (a 64-character string).
You now have the single value Mengi needs:
| Value | Where it came from |
|---|---|
| API Token | The project’s Read & Write API token (shown once) |
No CLI for this step. Hetzner’s CLI (
hcloud) authenticates with an API token but cannot create projects or mint tokens — those are Console-only actions. So the credential itself must be created in the Console as above;hcloudis only useful afterwards for read-only inspection.
Part 2 — Store the credential in Mengi Cloud
- Sign in to the Mengi Cloud dashboard and open Cloud Credentials from the left-hand menu.
- Click Add Credential.
- Fill in the form:
- Credential Name — any label, e.g.
hetzner-byoc. - Cloud Provider — select Hetzner Cloud.
- API Token — paste your Read & Write token.
- Credential Name — any label, e.g.
- Click Add Credential.
The credential is stored encrypted and starts in Pending Validation. Mengi validates it against the Hetzner Cloud API; once the token checks out the status turns to Ready. If it shows Invalid, re-check that you copied the full token and that it has Read & Write permission.
Part 3 — Create a BYOC cluster
- Start a new cluster/deployment in the Mengi dashboard.
- Choose Hetzner as the provider and select a location:
fsn1(Falkenstein),nbg1(Nuremberg),hel1(Helsinki),ash(Ashburn, USA),hil(Hillsboro, USA) orsin(Singapore). - Enable Use my own cloud account (BYOC) and select the
hetzner-byoccredential. - Pick a cluster type — Dedicated (1 node) or Dedicated HA (3 nodes, with SLA) — and create the cluster.
Mengi provisions the private network, NAT gateway, servers and load balancer in
your project. The cluster moves through pending → provisioning → running.
Deleting it from Mengi tears the infrastructure back down in your project.
BYOC is not available on the Development type — those are virtual clusters on Mengi’s own shared host infrastructure. Use Dedicated or Dedicated HA.
Rotating the API token
- In the Hetzner Cloud Console, generate a new Read & Write API token in the
mengi-byocproject (Part 1, Step 2). - In Mengi, edit the
hetzner-byoccredential, paste the new token, then re-validate. - Once the new token is Ready, delete the old token in the console.
Revoking access
To cut Mengi off entirely, delete the API token in the Hetzner Cloud Console. Delete any running BYOC clusters from the Mengi dashboard first so the infrastructure is cleaned up — once the token is gone, Mengi can no longer tear those resources down for you.
Security notes
- The API token is shown only once at creation — store it securely and never commit it to version control.
- Keep Mengi in a dedicated project so the token can never touch your other Hetzner projects.
- Mengi stores BYOC credentials encrypted, not in plaintext.
- Rotate the token periodically.