Bootstrap FreeKB - OpenShift - Log into OpenShift using a service account token
OpenShift - Log into OpenShift using a service account token
Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

There are various ways to log into OpenShift.

The oc create serviceaccount (or oc create sa) command can be used to create a Service Account in a certain namespace.

~]$ oc create serviceaccount my-service-account --namespace default
serviceaccount/my-service-account created

 

The oc version command can be used to list the version of OpenShift.

~]$ oc version
Client Version: 4.10.0
Server Version: 4.10.13
Kubernetes Version: v1.23.5+b463d71

 

If you are at Server Version 4.15 or below the oc create serviceaccount command should automatically create a secret <service account name>-token-xxxxx.

~]# oc get secrets
NAME                                 TYPE                                  DATA   AGE
my-service-account-token-kvv5c       kubernetes.io/service-account-token   4      6s

 

The oc describe secret command can be used to list the token in the secret.

~]$ oc describe secret my-service-account-token-kvv5c
Name:         my-service-account-token-kvv5c
Namespace:    my-project
Labels:       <none>
Annotations:  kubernetes.io/created-by: openshift.io/create-dockercfg-secrets
              kubernetes.io/service-account.name: my-service-account
              kubernetes.io/service-account.uid: 0af56e29-af9f-4d06-9b5a-6f83c42804b9

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:          9608 bytes
namespace:       10 bytes
service-ca.crt:  12033 bytes
token:           eyJhbGciOiJSUzI1NiIsImtpZCI6Im9tUmE3WElBRWNnanJPZUxYaHdyUWg1YWVheENnWHhLUlBHNmtmSlNCcm8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJteS1wcm9qZWN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudC10b2tlbi1rdnY1YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteS1zZXJ2aWNlLWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwYWY1NmUyOS1hZjlmLTRkMDYtOWI1YS02ZjgzYzQyODA0YjkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bXktcHJvamVjdDpteS1zZXJ2aWNlLWFjY291bnQifQ.GmueLO0W-FCfnVngGBwGmNLrCicCPQ01tRsd-TSxvW2QyZNHxpGv8Y75m11Ul6zkdItDU3ROaTTrpcSJ3Kv0kDdL4ZfbDFR1s9ROMdD70noZToAXyQU2KHDky1DmroF0ZTVkvID9MDL-L59BzWioxdDcrI8t2kEMBEZhGssw5VVKPzTXldP4xoCfoCUf6DrPNrWw9cqD_oL0wRmzwK7If7-U9TeF-Yd2bXBNj8sQk9V5FaNN3Z27X1cr6Kyz5CMJSr_TiOnnqrHAFm5qethUYgld2S8okvON5kommXcbLBYFyUiurG3zy2IyO2vsiWh1LlmH5Mpj4fRxKCTwUE7D7Q

 

If you are at Server Version 4.16 or above, no token will automatically be created. The oc create token command can be used to create an authentication token. According to this Red Hat article, service account tokens are valid for 1 hour” and indeed this was my experience. It looks like the maximum duration is 4294967296s (136 years) .

oc create token my-service-account --namespace my-project --duration=4294967296s

 

Let's add the service account to a cluster role binding.

~]$ oc adm policy add-cluster-role-to-user cluster-admin -z my-service-account
clusterrole.rbac.authorization.k8s.io/cluster-admin added: "my-service-account"

 

Or you may want to use a Cluster Role Binding.

oc create clusterrolebinding my-cluster-role-binding --clusterrole cluster-admin --serviceaccount my-project:my-service-account

 

By default, the token will be base64 encoded, so let's decode the token.

~]$ oc get secret my-service-account-token-kvv5c --output jsonpath="{.data.token}" | base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6InhlOXdWYjdVYV9qOXk2RVZ2X0JVV1ZZTnZXTy0yR2xRVDhMOEpOUVBnVmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ0aHJpdmVudC1vcGVuc2hpZnQtYWNjZXNzLWNoZWNrZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoibXktc2EtdG9rZW4tNWhoOXciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibXktc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmMjczMDIwNi0zZGZiLTRlMDctYWQyZi1kMzJhYjJjZDVjZGEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dGhyaXZlbnQtb3BlbnNoaWZ0LWFjY2Vzcy1jaGVja2VyOm15LXNhIn0.FpMILRNVvcry7CwFkmCz2Od4URz0Vm4Nstn1TLd_729dzNDEEn2OOevo_1iG_u9kK6-7wshR5nyzTZimG0lR3ET26t8c6JLIbLhu-N6dPfgEnvO9PCyOq1zTE_OoMqwajsYKuEVVZPKLt0TrbtdSc9dhc7kn1J5UNR5ieQMBX15GkjZ_z7ZVHi4aZL7buoCDuyq1jbbyY2ueX6VAAt9ZjlDwdCCnupsYMPZbwoQm0MkP_zsICMxkJgAR4m_3_iP6R5FtJjzCAOsfDyzmAX0k5YHnfzhjoAw2JQTzan0yC6sGO-ZZNCQnFWpmAAr0fNTNN1qJTk29q6Tu1D3WXMbCYMdm1DOAa5dHXYcqP3V6KO8tUTWNjZPeE2sSupdQKyrUKJmiQaEHDBv5XzkqDzrmAHcNEAs7-CsHDGccvELM3-s9CnHGqwcd6Hqh6d6BF-g7kl0TovyLvNm9upHwt9cSozBt85ja7mPqQevcYlHu8zEoG5RJ1O0vK4AzDJ3CdUX-8FjAR_ko3uxzMvwQZKM7e_NfF5ZHtBXoCtwsK8LoxNq8wYXiHyOXz4XnAZyInmSEPHuWUgakuEmmvk3L_5LJh9hv4kzltloec3_ZI_NC3e9qpDRIYGdG3MaxFFtdhP86NBm0Y-4prCr_R37bl0Z6eszrdM0gHwIcXS8pyuD13mc

 

And then the oc login command with the --token option can be used to log into OpenShift.

~]# oc login --token <token> api.openshift.example.com:6443
Logged into "https://api.openshift.example.com:6443" as "system:serviceaccount:my-project:my-service-account" using the token provided.

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 36d74d in the box below so that we can be sure you are a human.