Skip to main content
POST
/
api
/
v1
/
auth
/
kubernetes-auth
/
identities
/
{identityId}
cURL
curl --request POST \
  --url https://us.infisical.com/api/v1/auth/kubernetes-auth/identities/{identityId} \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "kubernetesHost": "<string>",
  "caCert": "",
  "tokenReviewerJwt": "<string>",
  "tokenReviewMode": "api",
  "allowedNamespaces": "<string>",
  "allowedNames": "<string>",
  "allowedAudience": "<string>",
  "gatewayId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "accessTokenTrustedIps": [
    {
      "ipAddress": "0.0.0.0/0"
    },
    {
      "ipAddress": "::/0"
    }
  ],
  "accessTokenTTL": 2592000,
  "accessTokenMaxTTL": 2592000,
  "accessTokenNumUsesLimit": 0
}'
{
  "identityKubernetesAuth": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "accessTokenTTL": 7200,
    "accessTokenMaxTTL": 7200,
    "accessTokenNumUsesLimit": 0,
    "accessTokenTrustedIps": "<any>",
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z",
    "tokenReviewMode": "api",
    "identityId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "kubernetesHost": "<string>",
    "allowedNamespaces": "<string>",
    "allowedNames": "<string>",
    "allowedAudience": "<string>",
    "gatewayId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "caCert": "<string>",
    "tokenReviewerJwt": "<string>"
  }
}

Authorizations

Authorization
string
header
required

An access token in Infisical

Path Parameters

identityId
string
required

The ID of the machine identity to attach the configuration onto.

Body

application/json
kubernetesHost
string | null
required

The host string, host:port pair, or URL to the base of the Kubernetes API server.

Minimum length: 1
allowedNamespaces
string
required

The comma-separated list of trusted namespaces that service accounts must belong to authenticate with Infisical.

allowedNames
string
required

The comma-separated list of trusted service account names that can authenticate with Infisical.

allowedAudience
string
required

The optional audience claim that the service account JWT token must have to authenticate with Infisical.

caCert
string
default:""

The PEM-encoded CA cert for the Kubernetes API server.

tokenReviewerJwt
string

Optional JWT token for accessing Kubernetes TokenReview API. If provided, this long-lived token will be used to validate service account tokens during authentication. If omitted, the client's own JWT will be used instead, which requires the client to have the system:auth-delegator ClusterRole binding.

tokenReviewMode
enum<string>
default:api

The mode to use for token review. Must be one of: 'api', 'gateway'. If gateway is selected, the gateway must be deployed in Kubernetes, and the gateway must have the system:auth-delegator ClusterRole binding.

Available options:
api,
gateway
gatewayId
string<uuid> | null

The ID of the gateway to use when performing kubernetes API requests.

accessTokenTrustedIps
object[]

The IPs or CIDR ranges that access tokens can be used from.

Minimum length: 1
accessTokenTTL
integer
default:2592000

The lifetime for an access token in seconds.

Required range: 0 <= x <= 315360000
accessTokenMaxTTL
integer
default:2592000

The maximum lifetime for an access token in seconds.

Required range: 0 <= x <= 315360000
accessTokenNumUsesLimit
integer
default:0

The maximum number of times that an access token can be used.

Required range: x >= 0

Response

Default Response

identityKubernetesAuth
object
required