ContextQMD
Back to Infisical

Kubernetes Auth Long Lived Tokens

docs/snippets/documentation/platform/identities/kubernetes-auth-long-lived-tokens.mdx

0.160.96.9 KB
Original Source
<Accordion title="Manual long-lived service account tokens"> Manual long-lived service account tokens are created as Kubernetes secrets and remain valid until deleted or rotated. In most cases, use short-lived service account tokens instead because they are easier to operate and reduce the lifetime of exposed credentials. 
  <Steps>
    <Step title="Create a token reviewer service account">
      Create a reviewer service account in your Kubernetes cluster. Infisical uses this account to authenticate with the Kubernetes API Server through the TokenReview API.

      ```yaml infisical-reviewer-service-account.yaml
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: infisical-token-reviewer
        namespace: default
      ```

      ```bash
      kubectl apply -f infisical-reviewer-service-account.yaml
      ```
    </Step>

    <Step title="Bind the reviewer service account">
      Bind the reviewer service account to the `system:auth-delegator` cluster role. This allows Infisical to perform delegated authentication checks against the TokenReview API.

      ```yaml infisical-reviewer-cluster-role-binding.yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: infisical-token-reviewer-role-binding
        namespace: default
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: system:auth-delegator
      subjects:
        - kind: ServiceAccount
          name: infisical-token-reviewer
          namespace: default
      ```

      ```bash
      kubectl apply -f infisical-reviewer-cluster-role-binding.yaml
      ```
    </Step>

    <Step title="Create and retrieve the token reviewer JWT">
      Create a service account token secret for the reviewer service account:

      ```yaml service-account-reviewer-token.yaml
      apiVersion: v1
      kind: Secret
      type: kubernetes.io/service-account-token
      metadata:
        name: infisical-token-reviewer-token
        annotations:
          kubernetes.io/service-account.name: "infisical-token-reviewer"
      ```

      ```bash
      kubectl apply -f service-account-reviewer-token.yaml
      ```

      Link the secret to the reviewer service account:

      ```bash
      kubectl patch serviceaccount infisical-token-reviewer \
        -p '{'{'}"secrets": [{'{'}"name": "infisical-token-reviewer-token"{'}'}]{'}'}' \
        -n default
      ```

      Retrieve the token reviewer JWT:

      ```bash
      kubectl get secret infisical-token-reviewer-token \
        -n default \
        -o=jsonpath='{'{'}.data.token{'}'}' | base64 --decode
      ```

      Keep this JWT token handy. You will need it for the **Token Reviewer JWT** field when configuring Kubernetes Auth on the machine identity in Infisical.
    </Step>

    <Step title="Create a machine identity">
      To create an identity, head to your Organization Settings {'>'} Access Control {'>'} Identities and press **Create identity**.

      ![identities organization](/images/platform/identities/identities-org.png)

      When creating an identity, you specify an organization level [role](/documentation/platform/access-controls/role-based-access-controls) for it to assume; you can configure roles in Organization Settings {'>'} Access Control {'>'} Organization Roles.

      ![identities organization create](/images/platform/identities/identities-org-create.png)

      Now input a few details for your new identity. Here's some guidance for each field:

      - Name (required): A friendly name for the identity.
      - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.

      Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **Kubernetes Auth**.

      Use the token reviewer JWT from the previous step when filling the **Token Reviewer JWT** field.

      <Info>
        To learn more about each field of the Kubernetes native authentication method, see step 2 of [guide](/documentation/platform/identities/kubernetes-auth#guide).
      </Info>

      ![identities organization create auth method](/images/platform/identities/identities-org-create-kubernetes-auth-method.png)
    </Step>

    <Step title="Add the identity to a project">
      To allow the operator to use the given identity to access secrets, you will need to add the identity to project(s) that you would like to grant it access to.

      To do this, head over to the project you want to add the identity to and go to Project Settings {'>'} Access Control {'>'} Machine Identities and press **Add identity**.

      Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.

      ![identities project](/images/platform/identities/identities-project.png)

      ![identities project create](/images/platform/identities/identities-project-create.png)
    </Step>

    <Step title="Create the service account used for authentication">
      Create the Kubernetes service account that the operator will use to authenticate with Infisical.

      ```yaml infisical-service-account.yaml
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: infisical-service-account
        namespace: default
      ```

      ```bash
      kubectl apply -f infisical-service-account.yaml
      ```
    </Step>

    <Step title="Create a long-lived token for the service account">
      Create a service account token secret for the service account used to authenticate with Infisical:

      ```yaml infisical-service-account-token.yaml
      apiVersion: v1
      kind: Secret
      type: kubernetes.io/service-account-token
      metadata:
        name: infisical-service-account-token
        namespace: default
        annotations:
          kubernetes.io/service-account.name: "infisical-service-account"
      ```

      ```bash
      kubectl apply -f infisical-service-account-token.yaml
      ```

      Patch the service account with the newly created service account token:

      ```bash
      kubectl patch serviceaccount infisical-service-account \
        -p '{'{'}"secrets": [{'{'}"name": "infisical-service-account-token"{'}'}]{'}'}' \
        -n default
      ```
    </Step>
  </Steps>
</Accordion>