TokenRequest requests a token for a given service account.
resource "kubernetes_service_account_v1" "test" {
metadata {
name = "test"
}
}
resource "kubernetes_token_request_v1" "test" {
metadata {
name = kubernetes_service_account_v1.test.metadata.0.name
}
spec {
audiences = [
"api",
"vault",
"factors"
]
}
}
output "tokenValue" {
value = kubernetes_token_request_v1.test.token
}
The following arguments are supported:
metadata
- (Required) Standard role's metadata. For more info see Kubernetes referencespec
- (Required) Spec holds information about the request being evaluatedtoken
- Token is the opaque bearer token.metadata
annotations
- (Optional) An unstructured key value map stored with the role that may be used to store arbitrary metadata.generate_name
- (Optional) Prefix, used by the server, to generate a unique name ONLY IF the name
field has not been provided. This value will also be combined with a unique suffix. For more info see Kubernetes referencelabels
- (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the role. Must match selector
.name
- (Optional) Name of the role, must be unique. Cannot be updated. For more info see Kubernetes referencenamespace
- (Optional) Namespace defines the space within which name of the role must be unique.spec
audiences
- (Optional) Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.expiration_seconds
- (Optional) ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.bound_object_ref
- (Optional) BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.bound_object_ref
api_version
- (Optional) API version of the referent.kind
- (Optional) Kind of the referent. Valid kinds are 'Pod' and 'Secret'.name
- (Optional) Name of the referent.uid
- (Optional) UID of the referent.