Creating service accounts and access tokens

Service accounts are required to generate the access tokens.

The access token is a Bearer token used in the http request header Authorization. (ex. Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjhMV0...)

By default, Supply Chain Security Tools - Store comes with read-write service account installed. This service account is cluster-wide.

Service accounts

You can create two types of service accounts:

  1. Read-only service account - only able to use GET API requests
  2. Read-write service account - full access to the API requests

Read-only service account

As a part of the Store installation, the metadata-store-read-only cluster role is created by default. This cluster role allows the bound user to have get access to all resources. To bind to this cluster role, run the following command:

kubectl apply -f - -o yaml << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metadata-store-ready-only
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metadata-store-read-only
subjects:
- kind: ServiceAccount
  name: metadata-store-read-client
  namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metadata-store-read-client
  namespace: metadata-store
automountServiceAccountToken: false
EOF

If you do not want to bind to a cluster role, create your own read-only role in the metadata-store namespace with a service account. The following example command creates a service account named metadata-store-read-client:

kubectl apply -f - -o yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: metadata-store-ro
  namespace: metadata-store
rules:
- resources: ["all"]
  verbs: ["get"]
  apiGroups: [ "metadata-store/v1" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: metadata-store-ro
  namespace: metadata-store
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: metadata-store-ro
subjects:
- kind: ServiceAccount
  name: metadata-store-read-client
  namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metadata-store-read-client
  namespace: metadata-store
automountServiceAccountToken: false
EOF

Read-write service account

To create a read-write service account, run the following command. The command creates a service account called metadata-store-read-write-client:

kubectl apply -f - -o yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: metadata-store-read-write
  namespace: metadata-store
rules:
- resources: ["all"]
  verbs: ["get", "create", "update"]
  apiGroups: [ "metadata-store/v1" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: metadata-store-read-write
  namespace: metadata-store
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: metadata-store-read-write
subjects:
- kind: ServiceAccount
  name: metadata-store-read-write-client
  namespace: metadata-store
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metadata-store-read-write-client
  namespace: metadata-store
automountServiceAccountToken: false
EOF

Getting the Access Token

To retrieve the read-only access token, run the following command:

kubectl get secret $(kubectl get sa -n metadata-store metadata-store-read-client -o json | jq -r '.secrets[0].name') -n metadata-store -o json | jq -r '.data.token' | base64 -d

To retrieve the read-write access token run the following command:

kubectl get secret $(kubectl get sa -n metadata-store metadata-store-read-write-client -o json | jq -r '.secrets[0].name') -n metadata-store -o json | jq -r '.data.token' | base64 -d

The access token is a “Bearer” token used in the http request header “Authorization.” (ex. Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjhMV0...)

Setting the Access Token

When using the CLI, you’ll need to set the METADATA_STORE_ACCESS_TOKEN environment variable, or use the --access-token flag. It is not recommended to use the --access-token flag as the token will appear in your shell history.

The following command will retrieve the access token from Kubernetes and store it in METADATA_STORE_ACCESS_TOKEN where SERVICE-ACCOUNT-NAME is the name of the service account you plan to use.

export METADATA_STORE_ACCESS_TOKEN=$(kubectl get secrets -n metadata-store -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='SERVICE-ACCOUNT-NAME')].data.token}" | base64 -d)

For example:

$ export METADATA_STORE_ACCESS_TOKEN=$(kubectl get secrets -n metadata-store -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='metadata-store-read-write-client')].data.token}" | base64 -d)
check-circle-line exclamation-circle-line close-line
Scroll to top icon