44

I have used kubectl create serviceaccount sa1 to create service account. Then I used kubectl get serviceaccount sa1 -oyaml command to get service account info. But it returns as below.

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-05-16T08:03:50Z"
  name: sa1
  namespace: default
  resourceVersion: "19651"
  uid: fdddacba-be9d-4e77-a849-95ca243781cc

I need to get,

secrets:
- name: <secret>

part. but it doesn't return secrets. How to fix it?

Improve this question
2

3 Answers 3

Reset to default
98

In Kubernetes 1.24, ServiceAccount token secrets are no longer automatically generated. See "Urgent Upgrade Notes" in the 1.24 changelog file:

The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (#108309, @zshihang)

This means, in Kubernetes 1.24, you need to manually create the Secret; the token key in the data field will be automatically set for you.

apiVersion: v1
kind: Secret
metadata:
  name: sa1-token
  annotations:
    kubernetes.io/service-account.name: sa1
type: kubernetes.io/service-account-token

Since you're manually creating the Secret, you know its name: and don't need to look it up in the ServiceAccount object.

This approach should work fine in earlier versions of Kubernetes too.

Improve this answer
6
  • 1
    Correct, that approach works in all versions. Explicitly creating a secret if you need one is the recommended approach in all versions. The .secrets field is explicitly for enumerating secrets to be mounted into pods running as the service account, and there is no guarantee the first item in that list is a token secret.
    – Jordan Liggitt
    Commented Jun 22, 2022 at 13:36
  • After creating manual token for service account, how to authenticate further in Azure dev ops service connections ?
    – priya
    Commented Sep 6, 2022 at 7:11
  • Someone simply forgot to update the documentation. service-account-tokens - it shows automatic secret creation when creating a serviceaccount
    – Daniel Andrzejewski
    Commented Sep 6, 2022 at 8:15
  • 1
    That's not required. Single quotes, double quotes, and no quotes will all produce an identical YAML document here.
    – David Maze
    Commented Sep 16, 2022 at 22:17
  • 4
    for me this only worked when also setting a namespace
    – Fritz
    Commented Nov 17, 2022 at 18:25
12

I too struggled for a while with this, but ultimately I was able to get a temporary token of login using the

kubectl create token [serviceaccount-name].

Still a newbie in this!!

Improve this answer
-1

If any of the above solutions didn't worked, try this.

Go to Projects >> Project settings >> Service connections >> New service connection >> Kubernetes >> select the authentication method as KubeConfig and for the KubeConfig file,

Open AKS in azure portal

Open cloud shell or the Azure CLI

Run the following commands

az account set --subscription {subscription ID}

az aks get-credentials --resource-group {resource group name} --name {AKS-name} --admin

you will get a path to the kubeconfig file

cat /home/****/.kube/config

copy everything and paste in azure devops kubernetes service connection. Click on Accept untrusted certificates and Grant access permission to all pipelines. Give a service connection name and click verify.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.