31

I have used kubectl create serviceaccount sa1 to create service account. Then I used kubectl get serviceaccount sa1 -oyaml command to get service account info. But it returns as below.

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-05-16T08:03:50Z"
  name: sa1
  namespace: default
  resourceVersion: "19651"
  uid: fdddacba-be9d-4e77-a849-95ca243781cc

I need to get,

secrets:
- name: <secret>

part. but it doesn't return secrets. How to fix it?

racketer
  • 345
  • 1
  • 5
  • 9
  • 5
    Are you using Kubernetes 1.24? I believe [that doesn't create the secret automatically](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes) any more, and you need to [manually create it](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). – David Maze May 16 '22 at 10:21
  • 1
    @DavidMaze Yes I'm using 1.24 – racketer May 16 '22 at 10:49

3 Answers3

80

In Kubernetes 1.24, ServiceAccount token secrets are no longer automatically generated. See "Urgent Upgrade Notes" in the 1.24 changelog file:

The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (#108309, @zshihang)

This means, in Kubernetes 1.24, you need to manually create the Secret; the token key in the data field will be automatically set for you.

apiVersion: v1
kind: Secret
metadata:
  name: sa1-token
  annotations:
    kubernetes.io/service-account.name: sa1
type: kubernetes.io/service-account-token

Since you're manually creating the Secret, you know its name: and don't need to look it up in the ServiceAccount object.

This approach should work fine in earlier versions of Kubernetes too.

Matt
  • 12,569
  • 4
  • 44
  • 42
David Maze
  • 130,717
  • 29
  • 175
  • 215
  • 1
    Correct, that approach works in all versions. Explicitly creating a secret if you need one is the recommended approach in all versions. The `.secrets` field is explicitly for enumerating secrets to be mounted into pods running as the service account, and there is no guarantee the first item in that list is a token secret. – Jordan Liggitt Jun 22 '22 at 13:36
  • After creating manual token for service account, how to authenticate further in Azure dev ops service connections ? – priya Sep 06 '22 at 07:11
  • Someone simply forgot to update the documentation. [service-account-tokens](https://v1-24.docs.kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) - it shows automatic secret creation when creating a serviceaccount – Daniel Andrzejewski Sep 06 '22 at 08:15
  • Don't forget the double quotes for the service-account.name should be `kubernetes.io/service-account.name: "sa1"` – kanadianDri3 Sep 16 '22 at 21:29
  • 1
    That's not required. Single quotes, double quotes, and no quotes will all produce an identical YAML document here. – David Maze Sep 16 '22 at 22:17
  • 2
    for me this only worked when also setting a namespace – Fritz Nov 17 '22 at 18:25
3

I too struggled for a while with this, but ultimately I was able to get a temporary token of login using the

kubectl create token [serviceaccount-name].

Still a newbie in this!!

Glin Zachariah
  • 91
  • 1
  • 7
0

If any of the above solutions didn't worked, try this.

Go to Projects >> Project settings >> Service connections >> New service connection >> Kubernetes >> select the authentication method as KubeConfig and for the KubeConfig file,

Open AKS in azure portal

Open cloud shell or the Azure CLI

Run the following commands

az account set --subscription {subscription ID}

az aks get-credentials --resource-group {resource group name} --name {AKS-name} --admin

you will get a path to the kubeconfig file

cat /home/****/.kube/config

copy everything and paste in azure devops kubernetes service connection. Click on Accept untrusted certificates and Grant access permission to all pipelines. Give a service connection name and click verify.

prashanth_apolloyon
  • 11
  • 4