Use ServiceAccount Token inside Pod

We can mount ServiceAccount token to pod using projected volume. This way, we can specify expiration time and how the token will be used such as for API calls. Kubernetes automatically creates token and mounts to pod.

Following yaml file shows how it is done.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: learning
spec:
  containers:
    - name: nginx
      image: nginx
      volumeMounts:
        - name: service-token
          mountPath: /secrets
  automountServiceAccountToken: false
  serviceAccountName: pod-reader-sa
  volumes:
    - name: service-token
      projected:
        sources:
          - serviceAccountToken:
              path: token-sa

It is assumed that right permissions are set to service account using rbac or any other method.

We should be then able to access token at path /secrets/token-sa and make REST API calls.

bitPhile

Explorer

Use ServiceAccount Token inside Pod

Use ServiceAccount Token inside Pod

Graph View