Kubernetes Auth

1.1. Start by creating a service account in your Kubernetes cluster that will be used by Infisical to authenticate with the Kubernetes API Server.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: infisical-auth
  namespace: default

kubectl apply -f infisical-service-account.yaml

1.2. Bind the service account to the system:auth-delegator cluster role. As described here, this role allows delegated authentication and authorization checks, specifically for Infisical to access the TokenReview API. You can apply the following configuration file:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: infisical-auth
    namespace: default

kubectl apply -f cluster-role-binding.yaml

1.3. Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new Secret resource:

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: infisical-auth-token
  annotations:
    kubernetes.io/service-account.name: "infisical-auth"

kubectl apply -f service-account-token.yaml

1.4. Link the secret in step 1.3 to the service account in step 1.1:

kubectl patch serviceaccount infisical-auth -p '{"secrets": [{"name": "infisical-auth-token"}]}' -n default

1.5. Finally, retrieve the token reviewer JWT token from the secret.

kubectl get secret infisical-auth-token -n default -o=jsonpath='{.data.token}' | base64 --decode

Keep this JWT token handy as you will need it for the Token Reviewer JWT field when configuring the Kubernetes Auth authentication method for the identity in step 2.

To create an identity, head to your Organization Settings > Access Control > Machine Identities and press Create identity.

When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.

Now input a few details for your new identity. Here’s some guidance for each field:

• Name (required): A friendly name for the identity.
• Role (required): A role from the Organization Roles tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.

Once you’ve created an identity, you’ll be redirected to a page where you can manage the identity.

Since the identity has been configured with Universal Auth by default, you should re-configure it to use Kubernetes Auth instead. To do this, press to edit the Authentication section, remove the existing Universal Auth configuration, and add a new Kubernetes Auth configuration onto the identity.

Here’s some more guidance on each field:

• Kubernetes Host / Base Kubernetes API URL: The host string, host:port pair, or URL to the base of the Kubernetes API server. This can usually be obtained by running kubectl cluster-info.
• Token Reviewer JWT: A long-lived service account JWT token for Infisical to access the TokenReview API to validate other service account JWT tokens submitted by applications/pods. This is the JWT token obtained from step 1.5.
• Allowed Service Account Names: A comma-separated list of trusted service account names that are allowed to authenticate with Infisical.
• Allowed Namespaces: A comma-separated list of trusted namespaces that service accounts must belong to authenticate with Infisical.
• Allowed Audience: An optional audience claim that the service account JWT token must have to authenticate with Infisical.
• CA Certificate: The PEM-encoded CA cert for the Kubernetes API server. This is used by the TLS client for secure communication with the Kubernetes API server.
• Access Token TTL (default is 2592000 equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
• Access Token Max TTL (default is 2592000 equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
• Access Token Max Number of Uses (default is 0): The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.
• Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the 0.0.0.0/0, allowing usage from any network address.

To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.

To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press Add identity.

Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.

To access the Infisical API as the identity, you should first make sure that the pod running your application is bound to a service account specified in the Allowed Service Account Names field of the identity’s Kubernetes Auth authentication method configuration in step 2.

Once bound, the pod will receive automatically mounted service account credentials that is a JWT token at the /var/run/secrets/kubernetes.io/serviceaccount/token path. This token should be used to authenticate with Infisical at the /api/v1/auth/kubernetes-auth/login endpoint.

For information on how to configure sevice accounts for pods, refer to the guide here.

We provide a code example below of how you might retrieve the JWT token and use it to authenticate with Infisical to gain access to the Infisical API.

const fs = require("fs");
try {
    const tokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token";
    const jwtToken = fs.readFileSync(tokenPath, "utf8");

    const infisicalUrl = "https://app.infisical.com"; // or your self-hosted Infisical URL
    const identityId = "<your-identity-id>";

    const { data } = await axios.post(
        `{infisicalUrl}/api/v1/auth/kubernetes-auth/login`,
        {
            identityId,
            jwt,
        }
    );

    console.log("result data: ", data); // access token here
} catch(err) {
    console.error(err);
}