⚠️ Disclaimer
This article assumes you're already somewhat familiar with Kubernetes concepts (Pods, ServiceAccounts) and the basics of JSON Web Tokens (JWTs).
It was a Tuesday.
Nothing special - just your average day as a platform engineer. My team's notifications were mercifully quiet, and I thought, "Perfect, I can finally clean up that old Helm chart that's been bothering me."
I opened the repo of the underlying image written in Go to double-check the config before merging. As I scrolled through the config file, something caught my eye:
log.Println("SA Token:", token)
Wait. What?
A debug statement. Still in production code. Logging an actual Kubernetes ServiceAccount token. Not cool...
I paused. My heart rate didn't. Curious but mostly horrified, I grabbed the token and decoded the payload in my shell:
{
"iss": "https://kubernetes.default.svc.cluster.local",
"kubernetes.io/serviceaccount/namespace": "payments",
"kubernetes.io/serviceaccount/secret.name": "payments-token-6gh49",
"kubernetes.io/serviceaccount/service-account.name": "payments-sa",
"kubernetes.io/serviceaccount/service-account.uid": "f9a2c144-11b3-4eb0-9f30-3c2a5063e2e7",
"aud": "https://kubernetes.default.svc.cluster.local",
"sub": "system:serviceaccount:payments:payments-sa",
"exp": 1788201600, // Sat, 01 Aug 2026 00:00:00 GMT
"iat": 1756665600 // Fri, 01 Aug 2025 00:00:00 GMT
}Default audience claim. A 1-year expiry.
This "bad boy" wasn't just a dev leftover - it was a high-privilege token with zero constraints floating around in plaintext logs!
What This Article Covers
In this post, I'll guide you through:
- The inner workings of Vault authentication with JWT and Kubernetes methods
- What Kubernetes ServiceAccounts and their tokens are, and how they’re (mis)used
- How projected ServiceAccount tokens fix many of the hidden dangers of older token behavior
- Why you should start adopting token projection and Vault integration today
We'll cover real-world use cases, implementation tips, and common pitfalls - so you don't end up like I did, staring at a:
log.Println("SA token:", token)...and wondering how close you just came to a security incident.
Why This Matters
To really understand why that log statement gave me chills, we need to unpack a few core concepts:
- What is a JWT?
- How do Kubernetes ServiceAccounts and their tokens work?
- And what role do these tokens play in authenticating to systems like Vault?
Let's start with the fundamentals.
What Is a JWT?
If you've been around authentication systems long enough, you've probably seen one of these beasts:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...This is a JSON Web Token (short: JWT).
It's a compact, URL-safe format for representing claims between two parties. They're used everywhere: web apps, APIs, and yes — inside your Kubernetes cluster.
A JWT consists of three parts:
- Header – declares the algorithm used to sign the token (e.g. RS256)
- Payload – contains the claims (who you are, what you're allowed to do, etc.)
- Signature – a cryptographic seal that verifies the payload hasn't been tampered with
Claims are the heart of a JWT — key-value pairs that describe who the token refers to and what it can be used for.
They can be:
- Standard claims defined by the spec (e.g.,
iss,sub,exp,aud) - Custom claims added by the issuer for domain-specific needs
Closer Look at aud
The audience (aud) claim tells who the token is meant for. Think of it as the intended recipient.
Example: Imagine a Coldplay concert ticket. It says valid for Stadium X on 01-09-2025. You can't take the same ticket and use it at Stadium Y — they'll reject it (...trust me, I tried).
A JWT works the same way:
- If the token has
"aud": "https://kubernetes.default.svc", then only the Kubernetes API server should accept it. - If some other service receives that token, the
audwon't match and the token must be rejected.
Without this check, a token could be misused anywhere that trusts the signing key. With aud, it's scoped to the right system.
Kubernetes and ServiceAccounts
Kubernetes is an open-source platform that orchestrates containers at scale. At its heart is the Pod — the smallest deployable unit.
But every pod needs an identity. That's where ServiceAccounts come in.
ServiceAccounts 101
- Every Pod references a ServiceAccount (default if none is set), but a token is only mounted if enabled
- Kubernetes mounts the identity at:
/var/run/secrets/kubernetes.io/serviceaccount/token- That token is a JWT, signed by the Kubernetes control plane
- It lets the pod authenticate with the API server — and sometimes even external systems like Vault
The Catch
Until recently, these tokens came with dangerous defaults:
- Long-lived (often valid for a year)
- Previous to Kubernetes v1.24, there was no default audience set (https://kubernetes.default.svc)
- Automatically mounted into every pod, even if unused
Enter Vault: The Gatekeeper of Secrets
HashiCorp Vault is your cluster’s paranoid librarian:
it stores API keys, certs, passwords — and only hands them out when it's sure you should have them.
How? Authentication methods.
Vault Authentication Methods
- Username & password
- AppRole
- LDAP
- Kubernetes
- JWT
Let's zoom into the last two.
Kubernetes Auth Method
- Pod sends its mounted ServiceAccount token to Vault
- Vault validates it against the Kubernetes API
- If valid, Vault maps it to a policy
This is simple and works well when Vault runs inside the cluster.
JWT Auth Method
- Vault verifies the JWT itself (signature, claims, expiration)
- No need for Kubernetes API access
- More portable
Rule of thumb:
- Use Kubernetes if Vault runs inside your cluster and simplicity matters
- Use JWT if you want portability, stronger boundaries, and flexibility
Projected Tokens: Because It's 2025
Old tokens were static and long-lived. Projected tokens fix this mess.
Instead of mounting a one-year token into every pod, Kubernetes can now generate short-lived, audience-bound tokens on demand.
What You Get
- Short TTL (e.g. 10 minutes)
- Audience restrictions (
aud: vault) - Automatic rotation by
kubelet - No automatic mounting into pods
Example Pod with Projected Token
apiVersion: v1
kind: Pod
metadata:
name: projected-token-test-pod
namespace: demo
spec:
serviceAccountName: projected-auth-sa
containers:
- name: projected-auth-test
image: demo/vault-curl:latest
command: ["sleep", "3600"]
volumeMounts:
- name: token
mountPath: /var/run/secrets/projected
readOnly: true
volumes:
- name: token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 600
audience: vaultWhy Vault Loves This
Vault's JWT auth method is tailor-made for projected tokens:
- It parses and verifies the JWT signature (via a configured PEM key or JWKS endpoint)
- Validates all claims (
aud,sub,exp,iss) locally - Issues secrets only if every check passes
Minimal dependencies. Strong claim validation. Secure, verifiable checks.
Back to the Log
Imagine you stumble upon this in a Go app:
log.Println("Auth Token:", token)- Old world: a one-year, cluster-wide token with no audience. A time bomb.
- New world: a 10-minute token, scoped to Vault, rotating automatically.
It's still bad to log tokens — but at least it's not catastrophic.
Try It Yourself: Vault + K8s AuthN Lab
I've built a hands-on demo repo where you can test this locally with KIND (Kubernetes in Docker) and Vault Helm charts:
👉 GitHub: VincentvonBueren/erfa-projected-sa-token
What's Inside
- KIND cluster with Vault
- Both Kubernetes and JWT auth methods enabled
- Vault policies and roles
- Four demo pods:
- Kubernetes auth method
- JWT with static token
- JWT with projected token
- JWT with wrong audience (failure demo)
Final Drop 🎤
If your pods still run with default, long-lived tokens:
you’re one debug log away from giving away the keys to your cluster.
Projected tokens aren't optional. They're essential.
Adopt them today — and stop shipping security disasters.
