Add docs for bound service account token trigger authentication

Signed-off-by: Max Cao <macao@redhat.com>
kedacore · Nov 30, 2024 · e19e46b · e19e46b
1 parent f12f165
commit e19e46b
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/content/docs/2.17/authentication-providers/bound-service-account-token.md b/content/docs/2.17/authentication-providers/bound-service-account-token.md
@@ -0,0 +1,14 @@
++++
+title = "Bound service account token"
++++
+
+You can pull a service account token into the trigger by defining the `serviceAccountName` of the Kubernetes ServiceAccount and token `expiry` duration.
+
+```yaml
+boundServiceAccountToken:                        # Optional.
+  - parameter: connectionString                  # Required - Defined by the scale trigger
+    serviceAccountName: my-keda-service-account  # Required.
+    expiry: 1h                                   # Required.
+```
+
+**Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise.
diff --git a/content/docs/2.17/concepts/authentication.md b/content/docs/2.17/concepts/authentication.md
@@ -240,6 +240,19 @@ secretTargetRef:                          # Optional.
 
 **Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise.
 
+### Bound service account token
+
+You can pull a service account token into the trigger by defining the `serviceAccountName` of the Kubernetes ServiceAccount and token `expiry` duration.
+
+```yaml
+boundServiceAccountToken:                        # Optional.
+  - parameter: connectionString                  # Required - Defined by the scale trigger
+    serviceAccountName: my-keda-service-account  # Required.
+    expiry: 1h                                   # Required.
+```
+
+**Assumptions:** `namespace` is in the same resource as referenced by `scaleTargetRef.name` in the ScaledObject, unless specified otherwise.
+
 ### Hashicorp Vault secret(s)
 
 You can pull one or more Hashicorp Vault secrets into the trigger by defining the authentication metadata such as Vault `address` and the `authentication` method (token | kubernetes). If you choose kubernetes auth method you should provide `role` and `mount` as well.
@@ -425,4 +438,4 @@ You can tell KEDA to use EKS Pod Identity Webhook via `podIdentity.provider`.
 ```yaml
 podIdentity:
   provider: aws-eks # Optional. Default: none
-```
+```