Reputation: 3165
One liner command to get secret name and secret's token
What's the one liner command to replace 2 commands like below to get the Kubernetes secret's token? Example usecase will be getting token from kubernetes-dashboard-admin's secret to login and view kubernetes-dashboard.
Command example:
$ kubectl describe serviceaccount default
Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-zvxf4
Tokens: default-token-zvxf4
Events: <none>
$ kubectl describe secret default-token-zvxf4
Name: default-token-zvxf4
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 809835e7-2564-439f-82f3-14762688ca80
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: TOKENHERE
Upvotes: 6
Views: 6636
Answers (4)
Reputation: 6791
Assuming only one secret exists, we can use jq JSON parser/processor to get this secret's data and then use base64 -d to decode it (you can do it in 1 line, but it's more self-commenting when secret name is extracted separately):
$ SECRET_NAME=$(kubectl get secret -o name | head -1)
$ kubectl get -o name $SECRET_NAME | xargs kubectl get -o=json | jq -r ".data[]" | base64 -d
Upvotes: 0
Reputation: 1
Example using kubectl describe instead of kubectl get and adding the namespace definition:
kubectl -n kube-system describe secret $(kubectl -n kube-system describe sa default | grep 'Mountable secrets' | awk '{ print $3 }') | grep 'token:' | awk '{ print $2 }'
Upvotes: 0
Reputation: 158967
You generally don't need to run either command. Kubernetes will automatically mount the credentials to /var/run/secrets/kubernetes.io/serviceaccount/token in a pod declared using that service account, and the various Kubernetes SDKs know to look for credentials there. Accessing the API from a Pod in the Kubernetes documentation describes this setup in more detail.
Configure Service Accounts for Pods describes the Pod-level setup that's possible to do, though there are reasonable defaults for these.
apiVersion: v1
kind: Pod # or a pod spec embedded in a Deployment &c.
spec:
serviceAccountName: my-service-account # defaults to "default"
automountServiceAccountToken: true # defaults to true
I wouldn't try to make requests from outside the cluster as a service account. User permissions are better suited for this use case. As a user you could launch a Job with service-account permissions if you needed to.
Upvotes: 0
Reputation: 3165
Answer that I discovered was below. By using jsonpath to retrieve and xargs to pass the secret name/output to second command. Will need to decode the encrypted token with base64 at the end.
$ kubectl get serviceaccount default -o=jsonpath='{.secrets[0].name}' | xargs kubectl get secret -ojsonpath='{.data.token}' | base64 --decode
TOKENHERE%
The tailing % is not part of the token
This should be able to work on MacOS without install additional app like jq which should be able to do the same. Hope this is helpful for others.
Upvotes: 5
Related Questions
- How do I view the value of a secret via kubectl?
- Kubernetes kubectl command to lookup Key in configMap or Secrets
- Kubernetes / kubectl print all secrets
- Finding out the Kubernetes object that uses the Kubernetes secret
- Kubernetes unable to query kubernetes secret using API
- Kubernetes create secret from json
- Create kubernetes secret from .json file
- Decoding single kubernetes secret using powershell
- Bash function to get and decode kubernetes secrets
- Kubernetes kubectl get secrets by type?