ServiceAccount Tokens for API Access
How to retrieve and use ServiceAccount tokens in Cozystack.
Prerequisites
Before you begin:
- A tenant must already exist in Cozystack. See Create a User Tenant if you haven’t created one yet.
- Access to the tenant namespace — either via OIDC credentials or an administrative kubeconfig.
kubectlandjqinstalled and configured.
Retrieving the ServiceAccount Token
Each tenant in Cozystack has a Secret that contains a ServiceAccount token. The Secret has the same name as the tenant and is located in the tenant’s namespace.
- Log in to the Dashboard as a user with access to the tenant.
- Switch context to the target tenant if needed.
- On the left sidebar, navigate to the Administration → Info page and open the Secrets tab.
- Find the secret named
tenant-<name>(e.g.tenant-team1), where the Key is token. - Click the eye icon to reveal the Value field, then click the revealed data. The text will be copied to the clipboard automatically.
Retrieve the token for a tenant named <name>:
kubectl -n tenant-<name> get tenantsecret tenant-<name> -o json | jq -r '.data.token | @base64d'
To store the token in a variable for subsequent commands:
export TOKEN=$(kubectl -n tenant-<name> get tenantsecret tenant-<name> -o json | jq -r '.data.token | @base64d')
Using the Token for API Access
Once you have the token, you can
generate a kubeconfig for kubectl access, or use it directly with curl as shown below.
Token Security
ServiceAccount tokens in Cozystack do not expire by default. Handle them with the same care as passwords.
Test the Connection
First, get the API server address:
export API_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
Next, extract the CA certificate to a file:
kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 -d > ca.crt
Now, test the connection:
curl --cacert ca.crt -H "Authorization: Bearer ${TOKEN}" ${API_SERVER}/api
You can remove
ca.crtafter testing.