Skip to content

Service Account Secrets

As of Kubernetes v1.24, secrets are no longer automatically created for service accounts.

You must create a secret manually.

You must also make the secret discoverable. You have two options:

Option 1 - Discovery By Name

Name your secret ${serviceAccountName}.service-account-token:

apiVersion: v1
kind: Secret
metadata:
  name: default.service-account-token
  annotations:
    kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token

This option is simpler than option 2, as you can create the secret and make it discoverable by name at the same time.

Option 2 - Discovery By Annotation

Annotate the service account with the secret name:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  annotations:
    workflows.argoproj.io/service-account-token.name: my-token

This option is useful when the secret already exists, or the service account has a very long name.

Comments