K
Q

How to log in to Kubernetes Dashboard UI with Service Account's token

5/27/2018

I installed Kubernetes's dashboard and now I am trying to log in.
It asks for Kubeconfig or Token, I chose to use Token.

I created a new service:
kubectl create serviceaccount myservice

master@osboxes:~$ kubectl get serviceaccount myservice -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2018-05-27T13:09:16Z
  name: myservice
  namespace: default
  resourceVersion: "76189"
  selfLink: /api/v1/namespaces/default/serviceaccounts/myservice
  uid: 2870f525-61af-11e8-9498-000c29b3c4e0
secrets:
- name: myservice-token-p2rrt

I exported the service account's token:

master@osboxes:~$ kubectl get secret myservice-token-p2rrt -o yaml | grep token
  token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbTE1YzJWeWRtbGpaUzEwYjJ0bGJpMXdNbkp5ZENJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKdGVYTmxjblpwWTJVaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lJeU9EY3daalV5TlMwMk1XRm1MVEV4WlRndE9UUTVPQzB3TURCak1qbGlNMk0wWlRBaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZaR1ZtWVhWc2REcHRlWE5sY25acFkyVWlmUS5IdkFoTDU1a0NTOXFPME5hUXVIV3NTbU5WcnlHdUZfUUJyZXRZRi1VcXNrOTFUTTlfWUx6SktsOWQxRGh6Unpzclhac2FtTF9SNE04dUVjU2g4c0lwNHV6Ul9QdDdTQ0hRQ3JiWi1KeFJwOEhDUENlcUZXMkJ0WTl5NlJ3bDBuZlRMY0l2N1Y5SDZFc1BsSy1zTmMxVTlhcFgxMmNKQ0hoOXpjLVI3RXdlZl80OGtoaHJubGkxZTB4dExXTnFaMTJCaTdZalZGZEU3OTVIZXJOYjR5XzNRMzFIcURlcERCVF9FS01Db0NZYk82MV9jM0t3eDRrMkx5R3ZqSWRFamUxNG9HQnlUSkt2QmRWMVRNb0pnNjdvWG1PbHkwV0VZUGVRaTVnNmw5dEhsRTVLZ3NlZHowV1BCel9ZUUxKMzBQYXBxUTktenhVVVpuX0UySS1vV2cyYmc=
  name: myservice-token-p2rrt
  selfLink: /api/v1/namespaces/default/secrets/myservice-token-p2rrt
type: kubernetes.io/service-account-token

Decoded it from base64:

master@osboxes:~$ echo "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbTE1YzJWeWRtbGpaUzEwYjJ0bGJpMXdNbkp5ZENJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKdGVYTmxjblpwWTJVaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lJeU9EY3daalV5TlMwMk1XRm1MVEV4WlRndE9UUTVPQzB3TURCak1qbGlNMk0wWlRBaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZaR1ZtWVhWc2REcHRlWE5sY25acFkyVWlmUS5IdkFoTDU1a0NTOXFPME5hUXVIV3NTbU5WcnlHdUZfUUJyZXRZRi1VcXNrOTFUTTlfWUx6SktsOWQxRGh6Unpzclhac2FtTF9SNE04dUVjU2g4c0lwNHV6Ul9QdDdTQ0hRQ3JiWi1KeFJwOEhDUENlcUZXMkJ0WTl5NlJ3bDBuZlRMY0l2N1Y5SDZFc1BsSy1zTmMxVTlhcFgxMmNKQ0hoOXpjLVI3RXdlZl80OGtoaHJubGkxZTB4dExXTnFaMTJCaTdZalZGZEU3OTVIZXJOYjR5XzNRMzFIcURlcERCVF9FS01Db0NZYk82MV9jM0t3eDRrMkx5R3ZqSWRFamUxNG9HQnlUSkt2QmRWMVRNb0pnNjdvWG1PbHkwV0VZUGVRaTVnNmw5dEhsRTVLZ3NlZHowV1BCel9ZUUxKMzBQYXBxUTktenhVVVpuX0UySS1vV2cyYmc=" | base64 -d
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1wMnJydCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyODcwZjUyNS02MWFmLTExZTgtOTQ5OC0wMDBjMjliM2M0ZTAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.HvAhL55kCS9qO0NaQuHWsSmNVryGuF_QBretYF-Uqsk91TM9_YLzJKl9d1DhzRzsrXZsamL_R4M8uEcSh8sIp4uzR_Pt7SCHQCrbZ-JxRp8HCPCeqFW2BtY9y6Rwl0nfTLcIv7V9H6EsPlK-sNc1U9apX12cJCHh9zc-R7Ewef_48khhrnli1e0xtLWNqZ12Bi7YjVFdE795HerNb4y_3Q31HqDepDBT_EKMCoCYbO61_c3Kwx4k2LyGvjIdEje14oGByTJKvBdV1TMoJg67oXmOly0WEYPeQi5g6l9tHlE5Kgsedz0WPBz_YQLJ30PapqQ9-zxUUZn_E2I-oWg2bg

But when I entered the decoded token it failed:
enter image description here

EDIT:
Here are the logs after I attached the Pod and tried to sign in:

2018/05/27 15:58:47 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2018/05/27 15:58:57 [2018-05-27T15:58:57Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 10.244.0.0:58976: {}
2018/05/27 15:58:57 [2018-05-27T15:58:57Z] Outcoming response to 10.244.0.0:58976 with 200 status code
2018/05/27 15:58:57 [2018-05-27T15:58:57Z] Incoming HTTP/2.0 POST /api/v1/login request from 10.244.0.0:58976: {
  "kubeConfig": "",
  "password": "",
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1wMnJydCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyODcwZjUyNS02MWFmLTExZTgtOTQ5OC0wMDBjMjliM2M0ZTAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.HvAhL55kCS9qO0NaQuHWsSmNVryGuF_QBretYF-Uqsk91TM9_YLzJKl9d1DhzRzsrXZsamL_R4M8uEcSh8sIp4uzR_Pt7SCHQCrbZ-JxRp8HCPCeqFW2BtY9y6Rwl0nfTLcIv7V9H6EsPlK-sNc1U9apX12cJCHh9zc-R7Ewef_48khhrnli1e0xtLWNqZ12Bi7YjVFdE795HerNb4y_3Q31HqDepDBT_EKMCoCYbO61_c3Kwx4k2LyGvjIdEje14oGByTJKvBdV1TMoJg67oXmOly0WEYPeQi5g6l9tHlE5Kgsedz0WPBz_YQLJ30PapqQ9-zxUUZn_E2I-oWg2bgmaster@osboxes",
  "username": ""
}
2018/05/27 15:58:57 Non-critical error occurred during resource retrieval: the server has asked for the client to provide credentials
2018/05/27 15:58:57 [2018-05-27T15:58:57Z] Outcoming response to 10.244.0.0:58976 with 200 status code
-- E235
kubernetes
kubernetes-dashboard

Similar Questions

kubernetes: access Ingress within a Pod
Helm yaml keys from values.yaml
kops no such host in route53
requiredDuringSchedulingRequiredDuringExecution does it works?
Create Kubernetes Persistent Volume with mounted directory
Socket.io Ingress controller on Kubernetes (Can't estabilish a connection)
Is it possible to enforce a hard memory limit on pods?
kubernetes: loadbalancer service with a nodeport
Can I do ingress lab on kubeadm environment?
What is default value for allowVolumeExpansion on the default storage class in kubernetes?
What is use of using VOLUME ID while creating PV?
How often does kube-Scheduler refresh node resource data
Minio, when used with spark on EKS cluster getting access denied error
Does Helm Chart support VM
Confusion about networking.k8s.io/v1

1 Answer

5/27/2018

OK, reading the logs I can see that the token used has an error at the end:

master@osboxes

I guess that you copied the shell username by mistake.

The correct token should be just:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1wMnJydCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyODcwZjUyNS02MWFmLTExZTgtOTQ5OC0wMDBjMjliM2M0ZTAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.HvAhL55kCS9qO0NaQuHWsSmNVryGuF_QBretYF-Uqsk91TM9_YLzJKl9d1DhzRzsrXZsamL_R4M8uEcSh8sIp4uzR_Pt7SCHQCrbZ-JxRp8HCPCeqFW2BtY9y6Rwl0nfTLcIv7V9H6EsPlK-sNc1U9apX12cJCHh9zc-R7Ewef_48khhrnli1e0xtLWNqZ12Bi7YjVFdE795HerNb4y_3Q31HqDepDBT_EKMCoCYbO61_c3Kwx4k2LyGvjIdEje14oGByTJKvBdV1TMoJg67oXmOly0WEYPeQi5g6l9tHlE5Kgsedz0WPBz_YQLJ30PapqQ9-zxUUZn_E2I-oWg2bg
-- Ignacio Millán
Source: StackOverflow