Skip to content

Service Account authentication via Token

Official solutions (KCS): * How to get the authentication token for an OpenShift Service account * What are the automatically generated secrets for every service account?

Create service account (sa)

1
oc create sa external-pipeline-user

Get service account details

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ oc get serviceaccount/external-pipeline-user -o yaml

apiVersion: v1
imagePullSecrets:
- name: external-pipeline-user-dockercfg-2kjrl
kind: ServiceAccount
metadata:
  creationTimestamp: "2020-10-12T13:56:11Z"
  name: external-pipeline-user
  namespace: sa-test
  resourceVersion: "19995538"
  selfLink: /api/v1/namespaces/sa-test/serviceaccounts/external-pipeline-user
  uid: 90f73aa4-f7c0-45ed-b99c-dec17d3fd864
secrets:
- name: external-pipeline-user-token-cr7nq
- name: external-pipeline-user-dockercfg-2kjrl

$ oc describe serviceaccount/external-pipeline-user
Name:                external-pipeline-user
Namespace:           sa-test
Labels:              <none>
Annotations:         <none>
Image pull secrets:  external-pipeline-user-dockercfg-2kjrl
Mountable secrets:   external-pipeline-user-token-cr7nq
                     external-pipeline-user-dockercfg-2kjrl
Tokens:              external-pipeline-user-token-cr7nq
                     external-pipeline-user-token-sdxck
Events:              <none>

Get Token

1
2
3
4
5
6
7
8
TOKEN=$(oc serviceaccounts get-token external-pipeline-user)

$ oc login --token=$TOKEN
Logged into "https://api.demo.openshift.pub:6443" as "system:serviceaccount:sa-test:external-pipeline-user" using the token provided.

You don't have any projects. Contact your system administrator to request a project.
$ oc whoami
system:serviceaccount:sa-test:external-pipeline-user

List of secrets

1
2
3
4
$ oc get secrets | grep external-pipeline-user
external-pipeline-user-dockercfg-2kjrl   kubernetes.io/dockercfg               1      25m
external-pipeline-user-token-cr7nq       kubernetes.io/service-account-token   4      25m
external-pipeline-user-token-sdxck       kubernetes.io/service-account-token   4      25m

Both secrets

  • external-pipeline-user-token-cr7nq
  • external-pipeline-user-token-sdxck

contains a valid token.

The only differents is an annotation kubernetes.io/created-by: openshift.io/create-dockercfg-secrets.

Token with the annotation is made for container image registry during the dockercfg secret creation. For details please check the source code of create_dockercfg_secrets.go.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ oc describe secrets/external-pipeline-user-token-sdxck
Name:         external-pipeline-user-token-sdxck
Namespace:    sa-test
Labels:       <none>
Annotations:  kubernetes.io/created-by: openshift.io/create-dockercfg-secrets
              kubernetes.io/service-account.name: external-pipeline-user
              kubernetes.io/service-account.uid: 90f73aa4-f7c0-45ed-b99c-dec17d3fd864

Type:  kubernetes.io/service-account-token

Data
====
token:           eyJhbGciOiJSUzI1NiIsImtpZCI6Iml0REV6eVlwcWlFRTVYVlVGZDh1SUtQdFBzWmNGUFUyUU9oeFJod1FxTE0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJzYS10ZXN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImV4dGVybmFsLXBpcGVsaW5lLXVzZXItdG9rZW4tc2R4Y2siLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZXh0ZXJuYWwtcGlwZWxpbmUtdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkwZjczYWE0LWY3YzAtNDVlZC1iOTljLWRlYzE3ZDNmZDg2NCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpzYS10ZXN0OmV4dGVybmFsLXBpcGVsaW5lLXVzZXIifQ.UqSbr1W2T4NGo9KDE1OZrGLqc-0Va5T-5illyxYegLxnTxhh-Keu6nc2-Cx21leV1vWcVt9p34VJCL5cUA9jKgkb7TNGnM8CW9BRn3bidbX5uaWzPflYGYzxok6QESA0eTMDtGecCDH1ixVPvJxws0Ipsdon5PpkmXbibR3YHjBEAsGFaiWK0oRZv8AE5uRUGOUAbw9kI0WZLoOOGtDdAfAHAtBACIkL4I4ZsqvFrUo8-bnWv9-OpsmvaOY4z0Uzc4tvIDtjWOG1IBwcDFpPUKJ68EqBOVdNxIkArdWej88wZ1PSRxSewm-sOYms2tH1Vs10RNpnY6TZqrzjAO0egQ
ca.crt:          8826 bytes
namespace:       7 bytes
service-ca.crt:  10039 bytes

$ oc describe secrets/external-pipeline-user-token-cr7nq
Name:         external-pipeline-user-token-cr7nq
Namespace:    sa-test
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: external-pipeline-user
              kubernetes.io/service-account.uid: 90f73aa4-f7c0-45ed-b99c-dec17d3fd864

Type:  kubernetes.io/service-account-token

Data
====
service-ca.crt:  10039 bytes
token:           eyJhbGciOiJSUzI1NiIsImtpZCI6Iml0REV6eVlwcWlFRTVYVlVGZDh1SUtQdFBzWmNGUFUyUU9oeFJod1FxTE0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJzYS10ZXN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImV4dGVybmFsLXBpcGVsaW5lLXVzZXItdG9rZW4tY3I3bnEiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZXh0ZXJuYWwtcGlwZWxpbmUtdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjkwZjczYWE0LWY3YzAtNDVlZC1iOTljLWRlYzE3ZDNmZDg2NCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpzYS10ZXN0OmV4dGVybmFsLXBpcGVsaW5lLXVzZXIifQ.S0vCY3W73655J1M3xu9ZiRHpl6ypPwCG95YPwIC9iOstL2wlX0AXflyolcofPo6xaklX6euYhWt4-2wnBLvEBiTJL1AtmZXLd9hL3UULxQC8X9j6DNzgqNs8BphTa6tFz1BusJCvUNs0ilgn--aysI0h3HHJDDRJlyp991pNKZ8Vz8uR2YRMHAIXXvOS9hbhcA2P2-QLw8USBfjlNnYm1vhFEqM4YrcbD_vNqlM9kSRYJpmQIw9bSeVUgVrszT_XEgsJaxzU9fRjn6Ip10RfFJ-95j1dR3rxHJ0RS0VrrcVsrk25UeuroMkdxYNQE4RBVAdOwchmOSy11aoJv5EEMQ
ca.crt:          8826 bytes
namespace:       7 bytes

Both tokens works very well

1
2
3
4
5
6
7
8
$ TOKEN_cr7nq=$(oc get secret/external-pipeline-user-token-cr7nq -o jsonpath={.data.token} | base64 -d)
$ TOKEN_sdxck=$(oc get secret/external-pipeline-user-token-sdxck -o jsonpath={.data.token} | base64 -d)

$ oc login --token=$TOKEN_cr7nq
Logged into "https://api.demo.openshift.pub:6443" as "system:serviceaccount:sa-test:external-pipeline-user" using the token provided.

$ oc login --token=$TOKEN_sdxck
Logged into "https://api.demo.openshift.pub:6443" as "system:serviceaccount:sa-test:external-pipeline-user" using the token provided.

Inspect tokens

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
$ oc get secrets | grep external-pipeline-user
external-pipeline-user-dockercfg-2kjrl   kubernetes.io/dockercfg               1      25m
external-pipeline-user-token-cr7nq       kubernetes.io/service-account-token   4      25m
external-pipeline-user-token-sdxck       kubernetes.io/service-account-token   4      25m



$ oc get secrets external-pipeline-user-token-cr7nq -o jsonpath='{.data.token}' | base64 --decode | jwt decode -

Token header
------------
{
  "alg": "RS256",
  "kid": "itDEzyYpqiEE5XVUFd8uIKPtPsZcFPU2QOhxRhwQqLM"
}

Token claims
------------
{
  "iss": "kubernetes/serviceaccount",
  "kubernetes.io/serviceaccount/namespace": "sa-test",
  "kubernetes.io/serviceaccount/secret.name": "external-pipeline-user-token-cr7nq",
  "kubernetes.io/serviceaccount/service-account.name": "external-pipeline-user",
  "kubernetes.io/serviceaccount/service-account.uid": "90f73aa4-f7c0-45ed-b99c-dec17d3fd864",
  "sub": "system:serviceaccount:sa-test:external-pipeline-user"
}

$ oc get secrets external-pipeline-user-token-sdxck    -o jsonpath='{.data.token}' | base64 --decode | jwt decode -

Token header
------------
{
  "alg": "RS256",
  "kid": "itDEzyYpqiEE5XVUFd8uIKPtPsZcFPU2QOhxRhwQqLM"
}

Token claims
------------
{
  "iss": "kubernetes/serviceaccount",
  "kubernetes.io/serviceaccount/namespace": "sa-test",
  "kubernetes.io/serviceaccount/secret.name": "external-pipeline-user-token-sdxck",
  "kubernetes.io/serviceaccount/service-account.name": "external-pipeline-user",
  "kubernetes.io/serviceaccount/service-account.uid": "90f73aa4-f7c0-45ed-b99c-dec17d3fd864",
  "sub": "system:serviceaccount:sa-test:external-pipeline-user"
}
Last update: December 6, 2020