OpenShift - Log into OpenShift using a service account token
by
Jeremy Canfield |
Updated: June 01 2023
| OpenShift articles
If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
The oc create serviceaccount (or oc create sa) command can be used to create a Service Account.
~]$ oc create serviceaccount my-service-account
serviceaccount/my-service-account created
This should create a secret <service account name>-token-xxxxx.
~]# oc get secrets
NAME TYPE DATA AGE
my-service-account-token-kvv5c kubernetes.io/service-account-token 4 6s
The oc describe secret command can be used to list the token.
~]$ oc describe secret my-service-account-token-kvv5c
Name: my-service-account-token-kvv5c
Namespace: my-project
Labels: <none>
Annotations: kubernetes.io/created-by: openshift.io/create-dockercfg-secrets
kubernetes.io/service-account.name: my-service-account
kubernetes.io/service-account.uid: 0af56e29-af9f-4d06-9b5a-6f83c42804b9
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 9608 bytes
namespace: 10 bytes
service-ca.crt: 12033 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im9tUmE3WElBRWNnanJPZUxYaHdyUWg1YWVheENnWHhLUlBHNmtmSlNCcm8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJteS1wcm9qZWN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudC10b2tlbi1rdnY1YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteS1zZXJ2aWNlLWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwYWY1NmUyOS1hZjlmLTRkMDYtOWI1YS02ZjgzYzQyODA0YjkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bXktcHJvamVjdDpteS1zZXJ2aWNlLWFjY291bnQifQ.GmueLO0W-FCfnVngGBwGmNLrCicCPQ01tRsd-TSxvW2QyZNHxpGv8Y75m11Ul6zkdItDU3ROaTTrpcSJ3Kv0kDdL4ZfbDFR1s9ROMdD70noZToAXyQU2KHDky1DmroF0ZTVkvID9MDL-L59BzWioxdDcrI8t2kEMBEZhGssw5VVKPzTXldP4xoCfoCUf6DrPNrWw9cqD_oL0wRmzwK7If7-U9TeF-Yd2bXBNj8sQk9V5FaNN3Z27X1cr6Kyz5CMJSr_TiOnnqrHAFm5qethUYgld2S8okvON5kommXcbLBYFyUiurG3zy2IyO2vsiWh1LlmH5Mpj4fRxKCTwUE7D7Q
And add the service account to a cluster role binding.
~]$ oc adm policy add-cluster-role-to-user cluster-admin -z my-service-account
clusterrole.rbac.authorization.k8s.io/cluster-admin added: "my-service-account"
And then the oc login command with the --token option can be used to log into OpenShift.
~]# oc login --token <token> api.openshift.example.com:6443
Logged into "https://api.openshift.example.com:6443" as "system:serviceaccount:my-project:my-service-account" using the token provided.
Did you find this article helpful?
If so, consider buying me a coffee over at