Using bound service account tokens

    You can use bound service account tokens to limit the scope of permissions for a given service account token. These tokens are audience and time-bound. This facilitates the authentication of a service account to an IAM role and the generation of temporary credentials mounted to a pod. You can request bound service account tokens by using volume projection and the TokenRequest API.

    Configuring bound service account tokens using volume projection

    You can configure pods to request bound service account tokens by using volume projection.

    Prerequisites

    • You have access to the cluster as a user with the role.

    1. Optional: Set the service account issuer.

      This step is typically not required if the bound tokens are used only within the cluster.

      1. Edit the cluster object:

      2. 1This value should be a URL from which the recipient of a bound token can source the public keys necessary to verify the signature of the token. The default is .

    2. The application that uses the bound token must handle reloading the token when it rotates.