Import a ServiceAccount token into kubeconfig

2 min read | by Jordi Prats

To locally run some process we might need to use some ServiceAccount credentials to make sure it has the same exact permissions it would have running it as a Pod. To do se we can import the ServiceAccount token into our kubeconfig to be able to impersonate it.

Let's assume we want to use the test-sa:

$ kubectl get sa
NAME      SECRETS   AGE
default   0         10d
test-sa   0         113s

If we haven't any available yet, will have to create a new token for the ServiceAccount by creating the Secret that's going to hold it:

cat <<"EOF" | kubectl apply -f -
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: test-sa-token
  annotations:
    kubernetes.io/service-account.name: test-sa
EOF

We'll need to retrieve data.token and imported it into kubeconfig as a token. We can use kubectl as follows to do it:

kubectl config set-credentials test-sa --token="$(kubectl get secret test-sa-token -o jsonpath='{.data.token}' | base64 -d)"

This will update the kubeconfig, adding the test-sa user which will look something like this:

apiVersion: v1
kind: Config
(...)
users:
- name: test-sa
  user:
    token: hejda...

To start using it we can just update the context, choosing which user we want to use using the --user option:

kubectl config set-context --current --user=test-sa

If we want to change it back we'll just need to specify which user we want to use.

Posted on 29/05/2023