Learn how to authenticate with Infisical in Kubernetes
/api/v1/auth/kubernetes-auth/login
endpoint. If successful,
then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
To be more specific:
/var/run/secrets/kubernetes.io/serviceaccount/token
pod path./api/v1/auth/kubernetes-auth/login
endpoint after which Infisical forwards the JWT token to the Kubernetes API Server at the TokenReview API for verification and to obtain the service account information associated with the JWT token. Infisical is able to authenticate and interact with the TokenReview API by using a long-lived service account JWT token itself (referred to onward as the token reviewer JWT token).Obtaining the token reviewer JWT for Infisical
system:auth-delegator
cluster role. As described here, this role allows delegated authentication and authorization checks, specifically for Infisical to access the TokenReview API. You can apply the following configuration file:Secret
resource:Creating an identity
kubectl cluster-info
.2592000
equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.2592000
equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.0
): The maximum number of times that an access token can be used; a value of 0
implies infinite number of uses.0.0.0.0/0
, allowing usage from any network address.Adding an identity to a project
Accessing the Infisical API with the identity
/var/run/secrets/kubernetes.io/serviceaccount/token
path. This token should be used to authenticate with Infisical at the /api/v1/auth/kubernetes-auth/login
endpoint.For information on how to configure sevice accounts for pods, refer to the guide here.We provide a code example below of how you might retrieve the JWT token and use it to authenticate with Infisical to gain access to the Infisical API.Sample code for inside an application
7200
seconds which can be adjusted.If an identity access token exceeds its max ttl, it can no longer authenticate with the Infisical API. In this case,
a new access token should be obtained by performing another login operation.Why is the Infisical API rejecting my service account JWT token?
Why is the Infisical API rejecting my access token?
What is access token renewal and TTL/Max TTL?