Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 10. Understanding and creating service accounts

10.1. Service accounts overview
Copy link

A service account is an OpenShift Container Platform account that allows a component to directly access the API. Service accounts are API objects that exist within each project. Service accounts provide a flexible way to control API access without sharing a regular user’s credentials.

When you use the OpenShift Container Platform CLI or web console, your API token authenticates you to the API. You can associate a component with a service account so that they can access the API without using a regular user’s credentials. For example, service accounts can allow:

  • Replication controllers to make API calls to create or delete pods.
  • Applications inside containers to make API calls for discovery purposes.
  • External applications to make API calls for monitoring or integration purposes.

Each service account’s user name is derived from its project and name: 

system:serviceaccount:<project>:<name>
Copy to Clipboard Toggle word wrap

Every service account is also a member of two groups:

Expand
GroupDescription

system:serviceaccounts

Includes all service accounts in the system.

system:serviceaccounts:<project>

Includes all service accounts in the specified project.

Each service account automatically contains two secrets:

  • An API token
  • Credentials for the OpenShift Container Registry

The generated API token and registry credentials do not expire, but you can revoke them by deleting the secret. When you delete the secret, a new one is automatically generated to take its place.

10.2. Creating service accounts
Copy link

You can create a service account in a project and grant it permissions by binding it to a role.

Procedure

  1. Optional: To view the service accounts in the current project: 

    $ oc get sa
    Copy to Clipboard Toggle word wrap

    Example output

    NAME       SECRETS   AGE
builder    2         2d
default    2         2d
deployer   2         2d
    Copy to Clipboard Toggle word wrap

  2. To create a new service account in the current project: 

    $ oc create sa <service_account_name>
    1
    Copy to Clipboard Toggle word wrap
    1
    To create a service account in a different project, specify -n <project_name>.

    Example output

    serviceaccount "robot" created
    Copy to Clipboard Toggle word wrap

    Tip

    You can alternatively apply the following YAML to create the service account: 

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: <service_account_name>
  namespace: <current_project>
    Copy to Clipboard Toggle word wrap

  3. Optional: View the secrets for the service account: 

    $ oc describe sa robot
    Copy to Clipboard Toggle word wrap

    Example output

    Name:                robot
Namespace:           project1
Labels:	             <none>
Annotations:	     <none>
Image pull secrets:  robot-dockercfg-qzbhb
Mountable secrets:   robot-dockercfg-qzbhb
Tokens:              robot-token-f4khf
Events:              <none>
    Copy to Clipboard Toggle word wrap

You can grant roles to service accounts in the same way that you grant roles to a regular user account.

  • You can modify the service accounts for the current project. For example, to add the view role to the robot service account in the top-secret project: 

    $ oc policy add-role-to-user view system:serviceaccount:top-secret:robot
    Copy to Clipboard Toggle word wrap
    Tip

    You can alternatively apply the following YAML to add the role: 

    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: view
  namespace: top-secret
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: ServiceAccount
  name: robot
  namespace: top-secret
    Copy to Clipboard Toggle word wrap

  • You can also grant access to a specific service account in a project. For example, from the project to which the service account belongs, use the -z flag and specify the <service_account_name> 

    $ oc policy add-role-to-user <role_name> -z <service_account_name>
    Copy to Clipboard Toggle word wrap
    Important

    If you want to grant access to a specific service account in a project, use the -z flag. Using this flag helps prevent typos and ensures that access is granted to only the specified service account.

    Tip

    You can alternatively apply the following YAML to add the role: 

    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <rolebinding_name>
  namespace: <current_project_name>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: <role_name>
subjects:
- kind: ServiceAccount
  name: <service_account_name>
  namespace: <current_project_name>
    Copy to Clipboard Toggle word wrap

  • To modify a different namespace, you can use the -n option to indicate the project namespace it applies to, as shown in the following examples.

    • For example, to allow all service accounts in all projects to view resources in the my-project project: 

      $ oc policy add-role-to-group view system:serviceaccounts -n my-project
      Copy to Clipboard Toggle word wrap
      Tip

      You can alternatively apply the following YAML to add the role: 

      apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: view
  namespace: my-project
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
      Copy to Clipboard Toggle word wrap

    • To allow all service accounts in the managers project to edit resources in the my-project project: 

      $ oc policy add-role-to-group edit system:serviceaccounts:managers -n my-project
      Copy to Clipboard Toggle word wrap
      Tip

      You can alternatively apply the following YAML to add the role: 

      apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: edit
  namespace: my-project
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts:managers
      Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat