A service account provides an identity for processes that run in a Pod.
Read more at Kubernetes reference
resource "kubernetes_service_account_v1" "example" {
metadata {
name = "terraform-example"
}
}
resource "kubernetes_secret_v1" "example" {
metadata {
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account_v1.example.metadata.0.name
}
generate_name = "terraform-example-"
}
type = "kubernetes.io/service-account-token"
wait_for_service_account_token = true
}
The following arguments are supported:
metadata
- (Required) Standard service account's metadata. For more info see Kubernetes referenceimage_pull_secret
- (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see Kubernetes referencesecret
- (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see Kubernetes referenceautomount_service_account_token
- (Optional) Boolean, true
to enable automatic mounting of the service account token. Defaults to true
.metadata
annotations
- (Optional) An unstructured key value map stored with the service account that may be used to store arbitrary metadata.generate_name
- (Optional) Prefix, used by the server, to generate a unique name ONLY IF the name
field has not been provided. This value will also be combined with a unique suffix. For more info see Kubernetes referencelabels
- (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services.name
- (Optional) Name of the service account, must be unique. Cannot be updated. For more info see Kubernetes referencenamespace
- (Optional) Namespace defines the space within which name of the service account must be unique.generation
- A sequence number representing a specific generation of the desired state.resource_version
- An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. For more info see Kubernetes referenceuid
- The unique in time and space value for this service account. For more info see Kubernetes referenceimage_pull_secret
name
- (Optional) Name of the referent. For more info see Kubernetes referencesecret
name
- (Optional) Name of the referent. For more info see Kubernetes referenceIn addition to the arguments listed above, the following computed attributes are exported:
default_secret_name
- (Deprecated) Name of the default secret, containing service account token, created & managed by the service. By default, the provider will try to find the secret containing the service account token that Kubernetes automatically created for the service account. Where there are multiple tokens and the provider cannot determine which was created by Kubernetes, this attribute will be empty. When only one token is associated with the service account, the provider will return this single token secret.
Starting from version 1.24.0
by default Kubernetes does not automatically generate tokens for service accounts. That leads to the situation when default_secret_name
cannot be computed and thus will be an empty string. In order to create a service account token, please use kubernetes_secret_v1
resource
Service account can be imported using the namespace and name, e.g.
$ terraform import kubernetes_service_account_v1.example default/terraform-example