I'm playing around with the openshift REST api and service account with the goal to set up something to partly automate the administration of openshift via REST calls. Currently still on Openshift 3.1.
Where I got so far: I managed to create a serviceaccount, give it access and use it for REST calls. I cannot, however, make it have a list of projects.
# account exists with name robot in namespace default
$ oc describe serviceaccount robot
Name: robot
Namespace: default
Labels: <none>
...
# tried a couple of approaches for granting access:
$ oc policy add-role-to-user admin system:serviceaccounts:robot -n default
$ oc policy add-role-to-user admin robot -n default
$ oc policy add-role-to-user admin system:serviceaccounts:default:robot -n default
# get token en do REST call
$ SECRET=`oc describe serviceaccount robot | grep -i tokens | awk '{print $2}'`
$ TOKEN=`oc describe secret $SECRET | grep -i ^token | awk '{print $2}'`
$ curl -X GET -H "Authorization: Bearer $TOKEN" https://$OPENSHIFT_HOSTNAME/oapi/v1/projects --insecure
{
"kind": "ProjectList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/oapi/v1/projects"
},
"items": []
}
I don't understand wy my list of projects is still empty. I've tried adding the serviceaccount to multiple other projects, but the list stays empty.
You are very close to solving it. The user that you used for your policy needs to contain a namespace:
$ oc policy add-role-to-user admin system:serviceaccount:default:robot -n default
This is the namespace of the project in which the robot has been created. In your first oc describe serviceaccount robot the namespace default is used.
Also I see that you retrieve a secret of cloudforms service account, but I guess it is just a typo.
See also more docs about it: OpenShift Origin ServiceAccounts