Working with Service Account In Kubernetes

How to configure a service account in Kubernetes and manage it?

Oct 14, 2020 · 5 min read

What Is Service Account in Kubernetes?

There are two types of account in Kubernetes

Service Account :

In the Kubernetes cluster, any processes or applications in the container which resides within the pod can access the cluster by getting authenticated by the API server, using a service account.

For Example:

An application like Prometheus accessing the cluster to monitor it is a type of service account


A service account is an identity that is attached to the processes running within a pod.


When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace.

How Does Kubernetes Service Account Works?

Case 1: When you have an external application trying to access Kubernetes cluster API servers.

My Web Page is trying to access the Kubernetes cluster

Suppose there is a web page: My Web Page which has a list of items to be displayed, this data needs to be fetched from an API server hosted in the Kubernetes cluster as shown above in the figure. To do so, we need to a service account that will be enabled by cluster API servers to authenticate and access the data from the cluster servers.

Install minikube and kubectl CLI : If not done yet

Before you begin: You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not have minikube installed visit here: Minikube,

or you can use one of these Kubernetes playgrounds by clicking the given link below:

Creating a service account:

Now to access the kubernetes cluster as discussed above we need to create a service account, which we can do by using the following command :

This command will generate a service account with the name: my-webpage-sa

When you are done creating a service account, a service account token also gets generated, this token is what will be required by our My Web Page application to access the data via apis.

Let’s see how you can view the token and other attached details with the created service account.

Describing the service account:

you have to type the following kubectl command:

Output of the above describe command:

So if you carefully watch the output you will see that the Tokens attribute is created with the value: my-webpage-sa-token-zngkh. This token is stored as a secret object, this secret object is attached to the service account:my-webpage-sa.

To view the secret object :

If you want to view whats the content of the secrte object we can type the following command

$ kubectl describe secret <token-value>

as shown below :


when you execute the above command, you can view the encoded hash-key value of the token as highlighted in the image above.

This is the key that can be exchanged as an authentication bearer token in your REST API call, to fetch the required data from the Kubernetes cluster API server.


To summarize :

But what if our application is an integral part of the cluster itself and lies into one of the PODs

Case 2: When the application is hosted and running within the Cluster POD

In this scenario, when any pod is created in the Kubernetes cluster with any given namespace, these pods by default creates a service account with the name default. The default service account automatically creates the service token along with the required secret object.

So our application will be able to access the API server lying within the same namespace, by using this default service account mounted in the pod.

For instance, type the below-given command on your terminal:

-$ kubectl get serviceaccount

you will see the default secret as highlighted above, and if you go further to type the below set of commands to access the default secret attached with the default token

you will be able to get the name of default token value, default-token-7k7zj(note this will vary in your case ), this automatically gets created when any pod is created in the given node namespace,

To view the secret object detail against the default token,default-token-7k7z:

Type the following command:

So for our application hosted in the pod with the same namespace, this default secret object can be used to give access to the API servers lying in the same cluster namespace.

What’s Next?

We will get into the depth of service account and default tokens more in the next piece where we will discuss



Learn System Designing | Architecting | DevOps| Microservices | Clean Coding | Data Science

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store