Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 11. Using service accounts in applications

11.1. Service accounts overview

A service account is an OpenShift Container Platform account that allows a component to directly access the API. Service accounts are API objects that exist within each project. Service accounts provide a flexible way to control API access without sharing a regular user’s credentials.

When you use the OpenShift Container Platform CLI or web console, your API token authenticates you to the API. You can associate a component with a service account so that they can access the API without using a regular user’s credentials. For example, service accounts can allow:

  • Replication controllers to make API calls to create or delete pods.
  • Applications inside containers to make API calls for discovery purposes.
  • External applications to make API calls for monitoring or integration purposes.

Each service account’s user name is derived from its project and name:

Copy to Clipboard Toggle word wrap 
system:serviceaccount:<project>:<name>

Every service account is also a member of two groups:

GroupDescription

system:serviceaccounts

Includes all service accounts in the system.

system:serviceaccounts:<project>

Includes all service accounts in the specified project.

Each service account automatically contains two secrets:

  • An API token
  • Credentials for the OpenShift Container Registry

The generated API token and registry credentials do not expire, but you can revoke them by deleting the secret. When you delete the secret, a new one is automatically generated to take its place.

11.2. Default service accounts

Your OpenShift Container Platform cluster contains default service accounts for cluster management and generates more service accounts for each project.

11.2.1. Default cluster service accounts

Several infrastructure controllers run using service account credentials. The following service accounts are created in the OpenShift Container Platform infrastructure project (openshift-infra) at server start, and given the following roles cluster-wide:

Service AccountDescription

replication-controller

Assigned the system:replication-controller role

deployment-controller

Assigned the system:deployment-controller role

build-controller

Assigned the system:build-controller role. Additionally, the build-controller service account is included in the privileged security context constraint to create privileged build pods.

11.2.2. Default project service accounts and roles

Three service accounts are automatically created in each project:

Service AccountUsage

builder

Used by build pods. It is given the system:image-builder role, which allows pushing images to any imagestream in the project using the internal Docker registry.

deployer

Used by deployment pods and given the system:deployer role, which allows viewing and modifying replication controllers and pods in the project.

default

Used to run all other pods unless they specify a different service account.

All service accounts in a project are given the system:image-puller role, which allows pulling images from any imagestream in the project using the internal container image registry.

11.3. Creating service accounts

You can create a service account in a project and grant it permissions by binding it to a role.

Procedure

  1. Optional: To view the service accounts in the current project:

    Copy to Clipboard Toggle word wrap 
    $ oc get sa

    Example output

    Copy to Clipboard Toggle word wrap 
    NAME       SECRETS   AGE
builder    2         2d
default    2         2d
deployer   2         2d

  2. To create a new service account in the current project:

    Copy to Clipboard Toggle word wrap 
    $ oc create sa <service_account_name>
    1
    1
    To create a service account in a different project, specify -n <project_name>.

    Example output

    Copy to Clipboard Toggle word wrap 
    serviceaccount "robot" created

    Tip

    You can alternatively apply the following YAML to create the service account:

    Copy to Clipboard Toggle word wrap 
    apiVersion: v1
kind: ServiceAccount
metadata:
  name: <service_account_name>
  namespace: <current_project>

  3. Optional: View the secrets for the service account:

    Copy to Clipboard Toggle word wrap 
    $ oc describe sa robot

    Example output

    Copy to Clipboard Toggle word wrap 
    Name:		robot
Namespace:	project1
Labels:		<none>
Annotations:	<none>

Image pull secrets:	robot-dockercfg-qzbhb

Mountable secrets: 	robot-token-f4khf
                   	robot-dockercfg-qzbhb

Tokens:            	robot-token-f4khf
                   	robot-token-z8h44

11.4. Using a service account’s credentials externally

You can distribute a service account’s token to external applications that must authenticate to the API.

To pull an image, the authenticated user must have get rights on the requested imagestreams/layers. To push an image, the authenticated user must have update rights on the requested imagestreams/layers.

By default, all service accounts in a project have rights to pull any image in the same project, and the builder service account has rights to push any image in the same project.

Procedure

  1. View the service account’s API token:

    Copy to Clipboard Toggle word wrap 
    $ oc describe secret <secret_name>

    For example:

    Copy to Clipboard Toggle word wrap 
    $ oc describe secret robot-token-uzkbh -n top-secret

    Example output

    Copy to Clipboard Toggle word wrap 
    Name:		robot-token-uzkbh
Labels:		<none>
Annotations:	kubernetes.io/service-account.name=robot,kubernetes.io/service-account.uid=49f19e2e-16c6-11e5-afdc-3c970e4b7ffe

Type:	kubernetes.io/service-account-token

Data

token:	eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

  2. Log in using the token that you obtained:

    Copy to Clipboard Toggle word wrap 
    $ oc login --token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

    Example output

    Copy to Clipboard Toggle word wrap 
    Logged into "https://server:8443" as "system:serviceaccount:top-secret:robot" using the token provided.

You don't have any projects. You can try to create a new project, by running

    $ oc new-project <projectname>

  3. Confirm that you logged in as the service account:

    Copy to Clipboard Toggle word wrap 
    $ oc whoami

    Example output

    Copy to Clipboard Toggle word wrap 
    system:serviceaccount:top-secret:robot

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.