Service Account Token
What is Service Account Token?
Service Account TokenA JWT credential mounted into a Kubernetes pod that authenticates the workload to the API server and to other services trusting the cluster's identity provider.
A Kubernetes ServiceAccount represents a non-human identity used by pods. The associated token is a signed JSON Web Token automatically projected into the pod at /var/run/secrets/kubernetes.io/serviceaccount/token (TokenRequest API in modern versions) and used to call the Kubernetes API server. The token includes audience, expiration, namespace, and pod claims. Because tokens grant access via RBAC, leakage is dangerous: an attacker with a stolen token can list, modify, or destroy cluster resources scoped by the role binding. Best practice is to use bound, audience-scoped, short-lived tokens, disable automatic mounting where not required, restrict role bindings to least privilege, and federate workload identity to cloud IAM (OIDC, Workload Identity, IRSA).
● Examples
- 01
Pod uses its projected token with audience "sts.amazonaws.com" via IRSA to assume an AWS IAM role.
- 02
An attacker who escapes a container reads the SA token and pivots to the Kubernetes API.
● Frequently asked questions
What is Service Account Token?
A JWT credential mounted into a Kubernetes pod that authenticates the workload to the API server and to other services trusting the cluster's identity provider. It belongs to the Cloud Security category of cybersecurity.
What does Service Account Token mean?
A JWT credential mounted into a Kubernetes pod that authenticates the workload to the API server and to other services trusting the cluster's identity provider.
How does Service Account Token work?
A Kubernetes ServiceAccount represents a non-human identity used by pods. The associated token is a signed JSON Web Token automatically projected into the pod at /var/run/secrets/kubernetes.io/serviceaccount/token (TokenRequest API in modern versions) and used to call the Kubernetes API server. The token includes audience, expiration, namespace, and pod claims. Because tokens grant access via RBAC, leakage is dangerous: an attacker with a stolen token can list, modify, or destroy cluster resources scoped by the role binding. Best practice is to use bound, audience-scoped, short-lived tokens, disable automatic mounting where not required, restrict role bindings to least privilege, and federate workload identity to cloud IAM (OIDC, Workload Identity, IRSA).
How do you defend against Service Account Token?
Defences for Service Account Token typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Service Account Token?
Common alternative names include: ServiceAccount token, Projected SA token.
● Related terms
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- cloud-security№ 596
kube-bench
An open-source tool from Aqua Security that automatically checks a Kubernetes cluster's configuration against the CIS Kubernetes Benchmark.
- cloud-security№ 601
Kubescape
An open-source Kubernetes security platform from ARMO that scans clusters, manifests, and images for misconfigurations, vulnerabilities, and policy drift.
- cloud-security№ 1248
Workload Identity
A cryptographic identity assigned to a service, container, or function so it can authenticate to other systems without long-lived shared secrets.