Create Short-Lived Token to Authenticate External Client¶
This section describes how to use service account tokens to generate short-lived tokens and use them to authenticate external clients.
The service account token is a long-lived one, i.e., it does not expire. You
cannot use it directly for authentication because it does not have the required
audience that AuthService expects, that is
istio-ingressgateway.istio-system.svc.cluster.local. All you can do with
this token is use it to hit the Kubernetes TokenRequest API and generate a
short-lived token with the desired audience and a specific validity period.
The short-lived token will expire at most after one day. Your clients must refresh the token before it expires.
External clients will use the short-lived token as Bearer Token, that is, to
make requests with the
Authorization: Bearer $token header. AuthService will
authenticate any incoming requests, that is, incoming requests will obtain a
kubeflow-userid header that maps the underlying service account, for
system:serviceaccount:SA_NAMESPACE:SA_NAME. You can restrict/allow
access to specific services with:
- Istio AuthorizationPolicies
- RoleBindings for services that do SubjectAccessReview
- An existing EKF deployment.
- An exposed TokenRequest API.
- A service account token for an external client.
If you want to access a serving model you also need:
In the procedure below we explain step-by-step what the programmer should do to create a short-lived token. The snippets provided are examples in Python that can be translated to any language or CLI tool.
Specify the service account token (long-lived token):
<TOKEN>with you service account token.
Decode your service account token. This is a JSON Web Token that includes service account and token info in its payload.
Decode the token to obtain further info:
Obtain the namespace, service account name and service account secret:
Specify the Kubernetes endpoint. This is the base URL where the Kubernetes API server is exposed.
Specify the validity period of the short-lived token in seconds:
This cannot be less than 10 minutes and more than one day. Your client must refresh the token before it expires.
Prepare the request.
Set the request URL. Use the Kubernetes endpoint and the token info and construct the TokenRequest API endpoint, that is
<SA>with your Kubernetes endpoint, your namespace, and your service account name, respectively.
Set the request headers. You will use the service account token as Bearer Token so that Kubernetes authorizes you to create your short-lived token.
Set the audience. AuthService expects this specific audience, otherwise it will not allow the request.
Set the request data. This is what the TokenRequest API expects as input.
- Official documentation on TokenRequestSpec.
Make the request.
Ensure that the request succeeded.
Parse the response to get the short-lived token.
Print the short-lived token.
Decode the short-lived token (JWT payload) and verify that this has the expected audience:
Specify the external URL of your service.
If you want to access a serving model, specify the external URL of a ready inference service.
In case the model supports Data Plane v1 use the list models API endpoint, that is,
/v1/modelsor the Readiness API endpoint, that is,
In case the model supports Prediction Protocol v2 use the server ready health API endpoint, that is,
Use the short-lived token as Bearer Token to access the service endpoint.
If the URL is not valid, you will get a 404 error because of the Istio filter chain order, that is,