Skip to content

ServiceAccount token secret creation

ServiceAccount token secret creation is the mechanism within Kubernetes to generate a persistent authentication token for a [[ServiceAccount]] by manually creating a Secret object. This process ensures that a long-lived token exists and is bound to the service account, which can then be retrieved for authentication, such as logging into the Kubernetes Dashboard.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

Implementation

To create a token secret, an administrator applies a resource configuration that defines a Secret object.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md] This configuration must be associated with the target ServiceAccount via annotations to function correctly as an authentication token.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

The specific annotation required to bind the secret to a service account is kubernetes.io/service-account.name, where the value is the name of the ServiceAccount (e.g., default).^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md] The type of the Secret must be set to kubernetes.io/service-account-token.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

Example Configuration

The following manifest demonstrates the creation of a secret named default in the kube-system namespace, bound to the default ServiceAccount^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]:

apiVersion: v1
kind: Secret
metadata:
  name: default
  namespace: kube-system
  labels:
    k8s-app: kube-system
  annotations:
    kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token

This YAML can be applied using kubectl apply -f -.^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]

Token Retrieval

Once the secret is created, the actual token value can be extracted from the Secret object using the kubectl describe or kubectl get commands^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md]. This token is then used as a bearer token for authentication^[400-devops__06-Kubernetes__k8s-ithelp__Day5__README.md].

Sources