Kubernetes Service Accounts Guide
Create and manage Kubernetes service accounts for pod identity. Covers RBAC binding, token projection, workload identity, and least-privilege access
π‘ Quick Answer: security
The Problem
This is a fundamental Kubernetes topic that engineers search for frequently. A comprehensive reference with production-ready examples saves hours of trial and error.
The Solution
Create a Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app
namespace: default
annotations:
# AWS IRSA
eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/my-app-role
# GCP Workload Identity
iam.gke.io/gcp-service-account: my-app@project.iam.gserviceaccount.com
---
# Bind permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-app-role
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["my-app-config"] # Only specific secret
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-app-binding
subjects:
- kind: ServiceAccount
name: my-app
roleRef:
kind: Role
name: my-app-role
apiGroup: rbac.authorization.k8s.ioUse in Pods
apiVersion: v1
kind: Pod
spec:
serviceAccountName: my-app # Use specific SA
automountServiceAccountToken: false # Disable if not needed!
containers:
- name: app
image: my-app:v1Projected Token (Short-Lived)
# K8s 1.20+ bound tokens (auto-rotated, audience-scoped)
spec:
containers:
- name: app
volumeMounts:
- name: token
mountPath: /var/run/secrets/tokens
volumes:
- name: token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: 3600
audience: vault# Check SA permissions
kubectl auth can-i --list --as=system:serviceaccount:default:my-app
kubectl auth can-i get secrets --as=system:serviceaccount:default:my-appgraph TD
A[Service Account: my-app] --> B[RoleBinding]
B --> C[Role: read configmaps + specific secret]
D[Pod: serviceAccountName: my-app] --> E[Gets projected token]
E --> F[Can call K8s API with SA permissions]
A --> G[Cloud annotation: AWS IRSA / GCP WI]
G --> H[Pod can access cloud resources]Frequently Asked Questions
Should every app have its own service account?
Yes β using the default SA means every pod in the namespace shares the same identity. Create dedicated SAs with minimal permissions per application.
What is automountServiceAccountToken: false?
It prevents the SA token from being mounted into the pod. Use this for pods that donβt need to call the Kubernetes API β reduces attack surface.
Best Practices
- Start with the simplest configuration that meets your needs
- Test changes in staging before production
- Use
kubectl describeand events for troubleshooting - Document your decisions for the team
Key Takeaways
- This is essential Kubernetes knowledge for production operations
- Follow the principle of least privilege and minimal configuration
- Monitor and iterate based on real-world behavior
- Automation reduces human error and improves consistency
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βLearn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β
π Deepen Your Skills β Hands-on Courses
Courses by CopyPasteLearn.com β Learn IT by Doing
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.