PATCH
/
api
/
v1
/
auth
/
kubernetes-auth
/
identities
/
{identityId}
cURL
curl --request PATCH \
  --url https://us.infisical.com/api/v1/auth/kubernetes-auth/identities/{identityId} \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "kubernetesHost": "<string>",
  "caCert": "<string>",
  "tokenReviewerJwt": "<string>",
  "tokenReviewMode": "api",
  "allowedNamespaces": "<string>",
  "allowedNames": "<string>",
  "allowedAudience": "<string>",
  "gatewayId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "accessTokenTrustedIps": [
    {
      "ipAddress": "<string>"
    }
  ],
  "accessTokenTTL": 157680000,
  "accessTokenNumUsesLimit": 1,
  "accessTokenMaxTTL": 157680000
}'
{
  "identityKubernetesAuth": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "accessTokenTTL": 7200,
    "accessTokenMaxTTL": 7200,
    "accessTokenNumUsesLimit": 0,
    "accessTokenTrustedIps": "<any>",
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z",
    "tokenReviewMode": "api",
    "identityId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "kubernetesHost": "<string>",
    "allowedNamespaces": "<string>",
    "allowedNames": "<string>",
    "allowedAudience": "<string>",
    "gatewayId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "caCert": "<string>",
    "tokenReviewerJwt": "<string>"
  }
}

Authorizations

Authorization
string
header
required

An access token in Infisical

Path Parameters

identityId
string
required

The ID of the identity to update the auth method for.

Body

application/json
kubernetesHost
string | null

The new host string, host:port pair, or URL to the base of the Kubernetes API server.

Minimum length: 1
caCert
string

The new PEM-encoded CA cert for the Kubernetes API server.

tokenReviewerJwt
string | null

Optional JWT token for accessing Kubernetes TokenReview API. If provided, this long-lived token will be used to validate service account tokens during authentication. If omitted, the client's own JWT will be used instead, which requires the client to have the system:auth-delegator ClusterRole binding.

tokenReviewMode
enum<string>

The mode to use for token review. Must be one of: 'api', 'gateway'. If gateway is selected, the gateway must be deployed in Kubernetes, and the gateway must have the system:auth-delegator ClusterRole binding.

Available options:
api,
gateway
allowedNamespaces
string

The new comma-separated list of trusted namespaces that service accounts must belong to authenticate with Infisical.

allowedNames
string

The new comma-separated list of trusted service account names that can authenticate with Infisical.

allowedAudience
string

The new optional audience claim that the service account JWT token must have to authenticate with Infisical.

gatewayId
string<uuid> | null

The ID of the gateway to use when performing kubernetes API requests.

accessTokenTrustedIps
object[]

The new IPs or CIDR ranges that access tokens can be used from.

Minimum length: 1
accessTokenTTL
integer

The new lifetime for an acccess token in seconds.

Required range: 0 <= x <= 315360000
accessTokenNumUsesLimit
integer

The new maximum number of times that an access token can be used.

Required range: x >= 0
accessTokenMaxTTL
integer

The new maximum lifetime for an acccess token in seconds.

Required range: 0 <= x <= 315360000

Response

Default Response

identityKubernetesAuth
object
required