Search code examples

terraform keeps overwriting token for kubernetes provider

We're trying to run terraform apply with the following kubernetes provider setting in our terraform file:

data "google_client_config" "current" {

data "google_container_cluster" "onboarding_cluster" {
  name     = var.cluster_name
  location = var.cluster_location

provider "kubernetes" {
  load_config_file       = false
  host                   = data.google_container_cluster.onboarding_cluster.endpoint
  cluster_ca_certificate = base64decode(data.google_container_cluster.onboarding_cluster.master_auth[0].cluster_ca_certificate)
  token                  = data.google_client_config.current.access_token

resource "kubernetes_service_account" "service_account" {
  metadata {
    name      = var.kubernetes_service_account_name
    namespace = var.kubernetes_service_account_namespace

But we're getting the following error:

Error: Unauthorized

  on line 85, in resource "kubernetes_service_account" "service_account":
  85: resource "kubernetes_service_account" "service_account" {

After setting the TF_LOG to DEBUG we see the following request being made to create the kubernetes service account:

---[ REQUEST ]---------------------------------------
POST /api/v1/namespaces/default/serviceaccounts HTTP/1.1
Authorization: Bearer <SOME_KUBERNETES_JWT>

The auth bearer token is being overwritten even when we hardcode the token in our provider! For example:

provider "kubernetes" {
  load_config_file       = false
  host                   = data.google_container_cluster.onboarding_cluster.endpoint
  cluster_ca_certificate = base64decode(data.google_container_cluster.onboarding_cluster.master_auth[0].cluster_ca_certificate)
  token                  = "some.hardcoded.token"

Even with the above, the token will remain the same in the HTTP request.

We've found that the token that's being sent in the auth header is found on the terraform container at /run/secrets/

Is there any reason terraform would overwrite this token with a token generated by kubernetes? Are there any other settings we could attempt?


  • This is an issue with the kubernetes provider. Github issue here:

    To fix, set your provider version to 1.9, like so:

    provider "kubernetes" {
      version = "1.9"
      cluster_ca_certificate = base64decode(
      host             = data.google_container_cluster.this.endpoint
      token            = data.external.get_token.result["token"]
      load_config_file = false