One token is the one generated to mount into pods that run as the service
account.

The other is the one wrapped into a dockercfg secret used as a credential
against the internal docker registry.


On Thu, Dec 1, 2016 at 3:56 PM, Srinivas Naga Kotaru (skotaru) <
skot...@cisco.com> wrote:

> Thanks, it is working.  Able to login using service account token
>
>
>
> # oc get sa
>
> # oc get secrets
>
> #  oc get  secret  cae-ops-token-5vrkf  --template='{{.data.token}}'
>
>
>
> decode base64 token
>
>
>
> # oc login –token=<decoded token>
>
>
>
> *Qeustion:*
>
>
>
> I can see 2 secrets for each service accont and both are valied to login.
> Any idea why 2 ?
>
>
>
> # oc get secrets
>
>
>
> cae-ops-token-5vrkf        kubernetes.io/service-account-token
> 3         35m
>
> cae-ops-token-jdhez        kubernetes.io/service-account-token
> 3         35m
>
>
>
> --
>
> *Srinivas Kotaru*
>
>
>
> *From: *Jordan Liggitt <jligg...@redhat.com>
> *Date: *Thursday, December 1, 2016 at 12:26 PM
>
> *To: *Srinivas Naga Kotaru <skot...@cisco.com>
> *Cc: *dev <dev@lists.openshift.redhat.com>
> *Subject: *Re: cluster wide service acount
>
>
>
> If you have the service account's token, you can use it from the command
> line like this:
>
> oc login --token=...
>
>
>
> The web console does not provide a way to log in with a service account
> token.
>
>
>
> On Thu, Dec 1, 2016 at 3:19 PM, Srinivas Naga Kotaru (skotaru) <
> skot...@cisco.com> wrote:
>
> Jordan
>
>
>
> That helps. Thanks for quick help.
>
>
>
> Can we use this sa account to login into console and OC clinet? If yes
> how? I knew SA account only has non expired token but no password
>
>
>
>
>
> --
>
> *Srinivas Kotaru*
>
>
>
> *From: *Jordan Liggitt <jligg...@redhat.com>
> *Date: *Thursday, December 1, 2016 at 12:04 PM
> *To: *Srinivas Naga Kotaru <skot...@cisco.com>
> *Cc: *dev <dev@lists.openshift.redhat.com>
> *Subject: *Re: cluster wide service acount
>
>
>
> Service accounts exist within a namespace but can be granted permissions
> across the entire cluster, just like any other user. For example:
>
> oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:
> openshift-infra:monitor-service-account
>
>
>
> On Thu, Dec 1, 2016 at 3:02 PM, Srinivas Naga Kotaru (skotaru) <
> skot...@cisco.com> wrote:
>
> I knew we can create a service account per project and can be used as a
> password less API work and automations activities. Can we create a service
> account at cluster level and can be used for platform operations
> (monitoring, automation, shared account for operation teams)?
>
>
>
> Intention is to have expiry free tokens.
>
>
>
> --
>
> *Srinivas Kotaru*
>
>
> _______________________________________________
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
>
>
>
_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Reply via email to