# Does the call to TokenReview need a specific role? I thought it was possible to use a token without any role to perform the [TokenReview](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#tokenreview-v1-authentication-k8s-io) call to the Kubernetes API server. But no: for the TokenReview call, the service account associated to the token used to authenticate (i.e., the `Ahtorization: Bearer token` HTTP header) must have the role `system:auth-delegator`. On the other side, the token within the TokenReview doesn't need to have any role attached. First, let us create a token with no role attached: ```shell token=$(kubectl create --raw /api/v1/namespaces/default/serviceaccounts/default/token -f- <<EOF | jq -r '.status.token' { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest", "spec": { "audiences": ["https://kubernetes.default.svc.cluster.local"] } } EOF ) ``` Now, let us use the TokenReview API to check that same token: ```shell curl -sS -X POST $(kubectl config view --minify --flatten -ojson | jq '.clusters[0].cluster.server' -r)/apis/authentication.k8s.io/v1/tokenreviews \ --cacert <( kubectl config view --minify --flatten -ojson | jq '.clusters[0].cluster."certificate-authority-data"' -r | base64 -d) \ -H "Authorization: Bearer $token" \ -H "Content-Type: application/json" \ -d@- <<EOF { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenReview", "spec": { "token": "$token", "audiences": ["https://kubernetes.default.svc.cluster.local"] } } EOF ``` gives: ```yaml { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "tokenreviews.authentication.k8s.io is forbidden: User \"system:serviceaccount:default:default\" cannot create resource \"tokenreviews\" in API group \"authentication.k8s.io\" at the cluster scope", "reason": "Forbidden", "details": { "group": "authentication.k8s.io", "kind": "tokenreviews" }, "code": 403 } ``` To fix that: ```shell kubectl apply -f- <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tokenreview namespace: default subjects: - kind: ServiceAccount namespace: default name: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator EOF ``` And now it works. ## Testing TokenRequest for PR ```shell kubectl run foo -n cert-manager --image=alpine/k8s:1.22.15 --restart=Never --overrides='{"spec":{"serviceAccountName": "cert-manager"}}' -q --rm -it -- bash # And then, inside the container: kubectl create --raw /api/v1/namespaces/sandbox/serviceaccounts/vault-issuer/token -f- <<EOF | jq -r '.status.token' { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest", "spec": { "audiences": ["https://kubernetes.default.svc.cluster.local"], "expirationSeconds": 600 } } EOF ```