The Infisical Kubernetes dynamic secret allows you to generate short-lived service account tokens on demand.

Overview

The Kubernetes dynamic secret feature enables you to generate short-lived service account tokens for your Kubernetes clusters. This is particularly useful for:
  • Secure Access Management: Instead of using long-lived service account tokens, you can generate short-lived tokens that automatically expire, reducing the risk of token exposure.
  • Temporary Access: Generate tokens with specific TTLs (Time To Live) for temporary access to your Kubernetes clusters.
  • Audit Trail: Each token generation is tracked, providing better visibility into who accessed your cluster and when.
  • Integration with Private Clusters: Seamlessly work with private Kubernetes clusters using Infisical’s Gateway feature.
Kubernetes service account tokens cannot be revoked once issued. This is why it’s important to use short TTLs and carefully manage token generation. The tokens will automatically expire after their TTL period.
Kubernetes service account tokens are JWTs (JSON Web Tokens) with a fixed expiration time. Once a token is generated, its lifetime cannot be extended. If you need longer access, you’ll need to generate a new token.
This feature is ideal for scenarios where you need to:
  • Provide temporary access to developers or CI/CD pipelines
  • Rotate service account tokens frequently
  • Maintain a secure audit trail of cluster access
  • Manage access to multiple Kubernetes clusters

Set up Dynamic Secrets with Kubernetes

1

Open Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
2

Click on the 'Add Dynamic Secret' button

Add Dynamic Secret Button
3

Select Kubernetes

Dynamic Secret Modal
4

Choose your configuration options

Before proceeding with the setup, you’ll need to make two key decisions:
  1. Credential Type: How you want to manage service accounts
    • Static: Use an existing service account with predefined permissions
    • Dynamic: Create temporary service accounts with specific role assignments
  2. Authentication Method: How you want to authenticate with the cluster
    • Token (API): Use a service account token for direct API access
    • Gateway: Use an Infisical Gateway deployed in your cluster
Static credentials generate service account tokens for a predefined service account. This is useful when you want to:
  • Generate tokens for an existing service account
  • Maintain consistent permissions across token generations
  • Use a service account that already has the necessary RBAC permissions

Prerequisites

  • A Kubernetes cluster with a service account
  • Cluster access token with permissions to create service account tokens
  • (Optional) Gateway for private cluster access

Authentication Setup

Choose your authentication method:
5

Provide the inputs for dynamic secret parameters

Secret Name
string
required
Name by which you want the secret to be referenced
Default TTL
string
required
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
Max TTL
string
required
Maximum time-to-live for a generated secret
Gateway
string
Select a gateway for private cluster access. If not specified, the Internet Gateway will be used.
Cluster URL
string
required
Kubernetes API server URL (e.g., https://kubernetes.default.svc). Not required when using Gateway authentication as the Gateway will use its internal cluster URL.
Enable SSL
boolean
Whether to enable SSL verification for the Kubernetes API server connection. Not required when using Gateway authentication as the Gateway will use its internal TLS configuration.
CA
string
Custom CA certificate for the Kubernetes API server. Leave blank to use the system/public CA. Not required when using Gateway authentication as the Gateway will use its internal TLS configuration.
Auth Method
string
required
Choose between Token (API) or Gateway authentication. If using Gateway, the Gateway must be deployed in your Kubernetes cluster.
Cluster Token
string
required
Token with permissions to create service accounts and manage RBAC (required when using Token authentication)
Credential Type
string
required
Choose between Static (predefined service account) or Dynamic (temporary service accounts with role assignments)
Service Account Name
string
required
Name of the service account to generate tokens for
Namespace
string
required
Kubernetes namespace where the service account exists
Audiences
array
Optional list of audiences to include in the generated token
Dynamic Secret Setup Modal Dynamic Secret Setup Modal
6

Click 'Submit'

After submitting the form, you will see a dynamic secret created in the dashboard.

Generate and Manage Tokens

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand service account tokens. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section. Dynamic Secret Dynamic Secret When generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for. Provision Lease
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.
Once you click the Submit button, a new secret lease will be generated and the service account token will be shown to you. Provision Lease

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the lease details and delete the lease ahead of its expiration time.
While you can delete the lease from Infisical, the actual Kubernetes service account token cannot be revoked. The token will remain valid until its TTL expires. This is why it’s crucial to use appropriate TTL values when generating tokens.
Provision Lease