We can create sa easily using the following code
apiVersion: v1
kind: ServiceAccount
metadata:
name: robot
namespace: default
Next, we can generate a long live token
apiVersion: v1
kind: Secret
metadata:
name: my-long-lived-secret
annotations:
kubernetes.io/service-account.name: robot
type: kubernetes.io/service-account-token
Then we can decode it by using kubectl describe secret/my-long-lived-secret - as shown below:
There's no audience.
What cloud resources would able to allow or deny access to resources based on this service account token?
Then use postman to check the token
curl --location 'http://localhost:8080/api/v1/namespaces/default/serviceaccounts/robot/token' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlpUSzhiVVRXYVdQN1RoTGgxODVyVTJFSk1jNzNYQ0EtZlVEckt1YnZoWkkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15LWxvbmctbGl2ZWQtc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InJvYm90Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTQ4MTQwOTctNDFkNi00NWY0LTlhOTAtOGI1NjE5MjdhYTFjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6cm9ib3QifQ.jkACrgDpT2E1sZR7Q7KmAr7Hp2mweXmn17poOqySFJwy0OmTnkLngaC9X-d_YHR6EOOc4uyoETvYNCF2hZt7znXqR3a258ECAaQGpJPlKn9H2mVTq-z8LKIw_oX8s5sQR5DdwNX1e3683O1KU3OcxnvK8plDASTcg2wp75iPeedc4nvxTGwX8Ps0LeIJ7DX3qYFSH6J1JRlYQPMGpDf1TEF1roorR__w2YoDSHMjJaGc2SlYYBaXDZorWc8BhSJjTrWiuTGCJKqg56BqlV-Gi69T-atvGEMjBSRHheD30Nubjy_09-7GgJGWhNfHIiI3PLVQAGGMflUO1ngg26jSYQ' \
--data '{}'
And the response
{
"kind": "TokenRequest",
"apiVersion": "authentication.k8s.io/v1",
"metadata": {
"name": "robot",
"namespace": "default",
"creationTimestamp": "2023-10-10T17:21:53Z",
"managedFields": [
{
"manager": "PostmanRuntime",
"operation": "Update",
"apiVersion": "authentication.k8s.io/v1",
"time": "2023-10-10T17:21:53Z",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:spec": {
"f:expirationSeconds": {}
}
},
"subresource": "token"
}
]
},
"spec": {
"audiences": [
"https://kubernetes.default.svc.cluster.local"
],
"expirationSeconds": 3600,
"boundObjectRef": null
},
"status": {
"token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IlpUSzhiVVRXYVdQN1RoTGgxODVyVTJFSk1jNzNYQ0EtZlVEckt1YnZoWkkifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjk2OTYyMTEzLCJpYXQiOjE2OTY5NTg1MTMsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InJvYm90IiwidWlkIjoiYTQ4MTQwOTctNDFkNi00NWY0LTlhOTAtOGI1NjE5MjdhYTFjIn19LCJuYmYiOjE2OTY5NTg1MTMsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnJvYm90In0.P6hIB6903rlAkM3U4unpOclhvnpiZiFgWlc7sXYaGUXy9bjvykgiwS7OUhxC6enodmra8oTeLCLUe0U6REHH84Zmz7r3foxy69snYrlvLjYg592_RAt46ry56Y5apnjHuH7XkuDL0iEOOsQBTiilwIsFGFj0zemLqIFP6LRhj3EZ7N9YNZI99F6HDVkvC7vmrrI0oMd1iMx_y4H6qZd63bdhs6sZCNz8Q_uI7BJd1Hk5GiTWf-bQNs7XCNNY1AM0IEvPl-t_BrclLl5p3s7TmeJ15cTT_Yc601R70kYTgu2gSp8jFbVXi2g-hAco25Q4qR7EuNRQjEx_ZRw8avyuIA",
"expirationTimestamp": "2023-10-10T18:21:53Z"
}
}
Strange, why call it a long live token when it expired.
Comments