How to invalidate or revoke authentication token used by kubectl

Prathap Dasari 45 Reputation points
2023-11-13T12:08:25.5566667+00:00

Hi ,

I have a query regarding the az aks get-credentials command. Upon closer inspection using the -Debug flag, it seems that a Refresh Token is obtained from Azure AD and stored in the kubeconfig file. My understanding is that these tokens are valid for 14 days.

My question is twofold: Firstly, is this Refresh Token validated against Azure AD every time the kubectl command is issued? Secondly, is there a mechanism to invalidate or revoke such tokens? The scenario I'm contemplating is when a user transitions to another organization and should no longer have access to the Kubernetes cluster with the old token.

Your insights into this matter would be very valuable. I appreciate your time and assistance!

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,231 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,897 questions
{count} votes

1 answer

Sort by: Most helpful
  1. vipullag-MSFT 26,421 Reputation points
    2023-11-15T04:32:47.8833333+00:00

    Hello Prathap Dasari

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    It depends on various factors like type of Entra ID integration (legacy or AKS managed), whether --admin flag was used, and whether you have local accounts. Usually, the cached token is used until the expiry or if the kube config is deleted. 

    You could consider configuring the token lifetime using Configurable token lifetimes in the Microsoft identity platform.

    You can also configure sign in frequency via conditional access policy. You can apply it on the AKS server Entra app, which is global ( Azure Kubernetes Service AAD Server). The refresh token will have the same lifetime, but it will it won't work after the user login is expired.

    Ref: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime

    Hope this helps.

    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.