# Does the call to TokenReview need a specific role? I thought it was possible to use a token without any role to perform the [TokenReview](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#tokenreview-v1-authentication-k8s-io) call to the Kubernetes API server. But no: for the TokenReview call, the service account associated to the token used to authenticate (i.e., the `Ahtorization: Bearer token` HTTP header) must have the role `system:auth-delegator`. On the other side, the token within the TokenReview doesn't need to have any role attached. First, let us create a token with no role attached: ```shell token=$(kubectl create --raw /api/v1/namespaces/default/serviceaccounts/default/token -f- <<EOF | jq -r '.status.token' { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest", "spec": { "audiences": ["https://kubernetes.default.svc.cluster.local"] } } EOF ) ``` Now, let us use the TokenReview API to check that same token: ```shell curl -sS -X POST $(kubectl config view --minify --flatten -ojson | jq '.clusters[0].cluster.server' -r)/apis/authentication.k8s.io/v1/tokenreviews \ --cacert <( kubectl config view --minify --flatten -ojson | jq '.clusters[0].cluster."certificate-authority-data"' -r | base64 -d) \ -H "Authorization: Bearer $token" \ -H "Content-Type: application/json" \ -d@- <<EOF { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenReview", "spec": { "token": "$token", "audiences": ["https://kubernetes.default.svc.cluster.local"] } } EOF ``` gives: ```yaml { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "tokenreviews.authentication.k8s.io is forbidden: User \"system:serviceaccount:default:default\" cannot create resource \"tokenreviews\" in API group \"authentication.k8s.io\" at the cluster scope", "reason": "Forbidden", "details": { "group": "authentication.k8s.io", "kind": "tokenreviews" }, "code": 403 } ``` To fix that: ```shell kubectl apply -f- <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tokenreview namespace: default subjects: - kind: ServiceAccount namespace: default name: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator EOF ``` And now it works. ## Testing TokenRequest for PR ```shell kubectl run foo -n cert-manager --image=alpine/k8s:1.22.15 --restart=Never --overrides='{"spec":{"serviceAccountName": "cert-manager"}}' -q --rm -it -- bash # And then, inside the container: kubectl create --raw /api/v1/namespaces/sandbox/serviceaccounts/vault-issuer/token -f- <<EOF | jq -r '.status.token' { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest", "spec": { "audiences": ["https://kubernetes.default.svc.cluster.local"], "expirationSeconds": 600 } } EOF ```
Last changed by  
Maël Valais
133

Read more

Reproducing cert-manager’s serviceAccountRef with Out-of-Cluster Vault Without Setting token_reviewer_jwt

Tested on macOS with Docker running on a VM created by limactl. It shouldalso work on macOS with Docker Desktop, but also on Linux. The reason we runVault in a container instead of locally is because it needs to be on the sameVM as the kind cluster so that cert-manager can reach Vault, and Vault canreach kube-apiserver.

2/7/2024
Why the Kubernetes Auth Isn't Appropriate when Operating a Central Vault Instance, and Why the Vault JWT Auth Makes More

Why the Kubernetes Auth Isn’t Appropriate when Operating a Central Vault Instance, and Why the Vault OIDC Auth Makes More Sense

2/7/2024
Fixing “403 Forbidden” GitHub Actions, Docker or Helm Push to GitHub Container Registry (GHCR)

The first time, the job will work.

12/15/2023
Fixing “500 Certificate in an error state. Fix any errors, and then click Retry.” Blocking Renewal In cert-manager

The problem: When enrolling a new certificate, for example by running vcert enroll or when using cert-manager, people get “stuck” with an error of the like:

10/6/2023
Read more from Maël Valais
Published on HackMD