8.4. Using a service account’s credentials externally
You can distribute a service account’s token to external applications that must authenticate to the API.
In order to pull an image, the authenticated user must have get rights on the requested imagestreams/layers. In order to push an image, the authenticated user must have update rights on the requested imagestreams/layers.
By default, all service accounts in a project have rights to pull any image in the same project, and the builder service account has rights to push any image in the same project.
Procedure
View the service account’s API token:
$ oc describe secret <secret_name>
For example:
$ oc describe secret robot-token-uzkbh -n top-secret
Example output
Name: robot-token-uzkbh Labels: <none> Annotations: kubernetes.io/service-account.name=robot,kubernetes.io/service-account.uid=49f19e2e-16c6-11e5-afdc-3c970e4b7ffe Type: kubernetes.io/service-account-token Data token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Log in using the token that you obtained:
$ oc login --token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Example output
Logged into "https://server:8443" as "system:serviceaccount:top-secret:robot" using the token provided. You don't have any projects. You can try to create a new project, by running $ oc new-project <projectname>Confirm that you logged in as the service account:
$ oc whoami
Example output
system:serviceaccount:top-secret:robot
