Service Account

A service account provides an identity for processes that run in a Pod.

Terraform Name

kubernetes_service_account

Service Account

attributes:

‍metadata - (Required) Standard service account's metadata. For more info see Kubernetes reference
image_pull_secret - (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see Kubernetes reference
secret - (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see Kubernetes reference
automount_service_account_token - (Optional) Boolean, true to enable automatic mounting of the service account token. Defaults to true.

Nested Blocks

metadata

Arguments

annotations - (Optional) An unstructured key value map stored with the service account that may be used to store arbitrary metadata.

Note

By default, the provider ignores any annotations whose key names end with kubernetes.io. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see Kubernetes reference

generate_name - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the name field has not been provided. This value will also be combined with a unique suffix. For more info see Kubernetes reference
labels - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services.

Note

By default, the provider ignores any labels whose key names end with kubernetes.io. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see Kubernetes reference

name - (Optional) Name of the service account, must be unique. Cannot be updated. For more info see Kubernetes reference
namespace - (Optional) Namespace defines the space within which name of the service account must be unique.

Attributes

generation - A sequence number representing a specific generation of the desired state.
resource_version - An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. For more info see Kubernetes reference
uid - The unique in time and space value for this service account. For more info see Kubernetes reference

image_pull_secret

Arguments

name - (Optional) Name of the referent. For more info see Kubernetes reference

secret

Arguments

name - (Optional) Name of the referent. For more info see Kubernetes reference

‍

Associating resources with a

Service Account

Resources do not "belong" to a

Service Account

Rather, one or more Security Groups are associated to a resource.

Create

Service Account

via Terraform:

The following HCL creates a service account

Syntax:

resource "kubernetes_service_account" "example" {
metadata {
name = "terraform-example"
}
secret {
name = "${kubernetes_secret.example.metadata.0.name}"
}
}

Service Account

Terraform Name

Nested Blocks

metadata

Arguments

Attributes

image_pull_secret

Arguments

secret

Arguments

Costs

Indirect Cost

IAM Guide: Kubernetes on AWS

IAM best practices and troubleshooting tips for AWS EKS