vault_kubernetes_service_account_token

Generates service account tokens for Kubernetes.

Example Usage

resource "vault_kubernetes_secret_backend" "config" {
  path                      = "kubernetes"
  description               = "kubernetes secrets engine description"
  kubernetes_host           = "https://127.0.0.1:61233"
  kubernetes_ca_cert        = file("/path/to/cert")
  service_account_jwt       = file("/path/to/token")
  disable_local_ca_jwt      = false
}

resource "vault_kubernetes_secret_backend_role" "role" {
  backend                       = vault_kubernetes_secret_backend.config.path
  name                          = "service-account-name-role"
  allowed_kubernetes_namespaces = ["*"]
  token_max_ttl                 = 43200
  token_default_ttl             = 21600
  service_account_name          = "test-service-account-with-generated-token"

  extra_labels = {
    id   = "abc123"
    name = "some_name"
  }
  extra_annotations = {
    env      = "development"
    location = "earth"
  }
}

data "vault_kubernetes_service_account_token" "token" {
  backend              = vault_kubernetes_secret_backend.config.path
  role                 = vault_kubernetes_secret_backend_role.role.name
  kubernetes_namespace = "test"
  cluster_role_binding = false
  ttl                  = "1h"
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to the arguments above, the following attributes are exported: