Authentication with Kubernetes Service Accounts

This guide describes how AuthService performs authentication with Kubernetes Service Accounts.


In this guide, we use Client instead of User as the actor of the described Step-by-Step Analysis. AuthService can authenticate both users and their programmatic clients based on their service accounts. A programmatic client is an application of the user that can make distinct requests. Therefore, AuthService must authenticate the programmatic client that made the request.

Here’s what you’ll need so that you can authenticate with a service account:

  • An Arrikto EKF deployment integrated with an external Identity Provider.
  • An existing user account for this Identity Provider.
  • The user must have logged in with OIDC (Login with OIDC). AuthService has created and given a cookie to the client.
  • Kubeflow Reception must have created an account for this user (Account Creation).
  • Client must have an access token in the Authorization Header of their request.

Step-by-Step Analysis

Here is a step-by-step description of how AuthService performs authentication with Kubernetes service accounts.

  1. Client: Make a request with the access token in the Authorization Header.
  2. Istio Gateway: Forward the request to AuthService.
  3. AuthService: Retrieve the access token of the client from the Authorization header.


If the AuthService caching mechanism is enabled and the retrieved Bearer token exists in the cache, then AuthService will skip both Step 4 and Step 5 (see the respective dotted arrows in the above diagram). You can find out more on how to enable the AuthService caching mechanism in the Enable AuthService Caching Mechanism guide.

  1. AuthService: Send a request to Kubernetes API Server Token Review endpoint to authenticate the access token for the given audience.
  2. Kubernetes: Check if the access token is valid and respond with the userID, the groups, and the audiences of this client.
  3. AuthService: Respond to Istio Gateway that the client was successfully authenticated (HTTP 200 status) and set the UserID header for the client.
  4. Istio Gateway: Forward the request to Kubeflow with the UserID header.

See also

For more information check the following documentation:


In this guide you gained insight on how AuthService performs authentication with Kubernetes service accounts.

What’s Next

The next guide presents how the AuthService performs authentication with OpenID Connect when the client makes a request with a cookie.