Configuring the Kubernetes CLI by using service account tokens
JianQiu 270003STSK Visits (23822)
Service account tokens
You can obtain a user token from the IBM Cloud Private management console. This user token can be used by kubectl to authenticate against the Kubernetes API server. Once you are authenticated, you can then access your cluster from the command line (CLI). However, this token has an expiration time of 12 hours, which is not suitable for long running services.
Processes that are running inside a container, have a different mechanism for communicating with the Kubernetes API server. To facilitate this communication, authentication is done through a token known as a service account.
For more information about service accounts in Kubernetes, see
For long running services we can use service account to access the Kubernetes API server, which allows access to the CLI for extended periods of time.
While working with services in IBM Cloud Private, two methods are available for obtaining service account tokens:
For more information about installing kubectl and obtaining the user token from the IBM Cloud Private management console, see
Option 1: Working with service account tokens obtained from a running IBM Cloud Private pod
1. Locate the service account tokens
When a long running service is launched in the IBM Cloud Private cluster, the service account is mounted automatically. The directory that is used for mounting the service account is /va
The API service endpoint is
2. Connect to the Kubernetes API server
To connect to the Kubernetes API server using the service account , issue the following command:
kubectl config set-cluster cfc --se
3. Access your cluster by using the CLI (kubectl)
You are now able to use the Kubenertes CLI (kubectl) to access your cluster without a time limit. To get you started working with kubectl, see
Option 2: Working with service account tokens obtained from kubectl
You can also obtain service account tokens by using kubectl. To obtain service account tokens by using kubectl:
kubectl get secret --na
kubectl get secret default-token-2mfqv --na