Service account token
Learn how to use the service account token to connect with the License Service API server.
Service account token authentication provides flexible and customizable way to manage access to License Service APIs which is based on a role-based access control (RBAC).
The following article describes basic configuration. For more advanced configuration, see Using RBAC Authorization in Kubernetes documentation.
- Limitations
- Authentication and authorization
- Default configuration
- Custom configuration
- Using the API token
Limitations
Service account token is provided via http header. Because of that to retrieve the licensing data via the APIs from your browser, you must use the simplified License Service interface which is available under License Service URL. For
more information, see Obtaining the License Service URL.
Authentication and authorization
- Authentication - Checks whether the provided service account token is correct for the service account on a cluster where License Service is deployed.
- Authorization - Checks whether the service account has a binding to License Service API endpoints.
Default configuration
By default, after installation, the ibm-licensing-default-reader service account is created in the namespace where License Service is deployed.
This service account has a binding to the cluster role that gives access to License Service APIs.
Obtaining the token for ibm-licensing-default-reader
By using the CLI
Complete the following steps to get the service account token by using kubectl:
-
Get the name of your Kubernetes secret object. Secrets are used to store access credentials.
kubectl get secret -n <your-License-Service-namespace> | grep ibm-licensing-default-reader-token | head -n 1Following is a sample output where ibm-licensing-default-reader-token-xxxxx is the name of the secret:
ibm-licensing-default-reader-token-xxxxx kubernetes.io/service-account-token 4 5h22m -
Retrieve the ibm-licensing-default-reader token.
-
For Linux and OSX run the following commands.
- Linux:
kubectl get secret ibm-licensing-default-reader-token-xxxxx -o jsonpath={.data.token} -n <your-License-Service-namespace> | base64 -d -
OSX:
kubectl get secret ibm-licensing-default-reader-token-xxxxx -o jsonpath={.data.token} -n <your-License-Service-namespace> | base64 -DThe value that you get in the response is your API token.
- Linux:
-
For Windows run the following command.
-
Windows:
kubectl get secret ibm-licensing-default-reader-token-xxxxx -o jsonpath={.data.token} -n <your-License-Service-namespace>Decode the returned base64 value to reveal your API token.
-
-
By using the OpenShift console
- Log in to the OpenShift console of the cluster where you deployed License Service.
- Go to Workloads > Secrets.
-
Find the ibm-licensing-default-reader-token-xxxxx secret and select it.
Note: If more than one secret is listed, select any of these secrets.
-
Scroll to the Data section, and copy the token by clicking the Copy to Clipboard icon.
Custom configuration
You can create and use a different service account that has a binding to a proper cluster role to access License Service API. For more information, see Using RBAC Authorization in Kubernetes documentation.
Cluster role configuration
Configure a cluster role with the following content:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <role name>
rules:
- nonResourceURLs:
- "/products"
- "/snapshot"
- "/bundled_products"
- "/services"
- "/health"
- "/status"
verbs:
- "get"
where
nonResourceURLs is a list of the APIs to which the service account should have access. You can customize this list to met your requirements.
| API | nonResourceURLs |
|---|---|
| Retrieving an audit snapshot | /snapshot |
| Retrieving license usage of products | /products |
| Retrieving license usage of bundled products | /bundled_products |
| Retrieving contribution of services | /services |
| Retrieving information about License Service health | /health |
| Obtaining the status page | /status |
Important: This list might change in the future if new APIs are added. Monitor the list to make sure that you update the cluster role with access have access to all APIs.
Creating cluster role bindings
Create a cluster role binding for your custom service account with the following content:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <binding name>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: <custom role name>
subjects:
- kind: ServiceAccount
name: <service account name>
namespace: <service account namespace>
Using the service account token
To connect to the API endpoint, you need to provide the secure authentication token. If you choose to use a service account token, you need to add it to the header for every API call.
The following example shows how to provide the service account token to access the License Service API.
curl -k -H "Authorization:Bearer <token>" <API URL>
| API | API URL |
|---|---|
| Retrieving an audit snapshot | <License Service URL>/snapshot |
| Retrieving license usage of products | <License Service URL>/products |
| Retrieving license usage of bundled products | <License Service URL>/bundled_products |
| Retrieving contribution of services | <License Service URL>/services |
| Retrieving information about License Service health | <License Service URL>/health |
| Obtaining the status page | <License Service URL>/status |