Skip to main content

Checking the GitHub groups in your ID token

This guide explains how you can confirm that the token in your ~/.kube/config file lists the correct github groups.

Inside your ~/.kube/config file there is an id-token value. This token is the credential that the cluster uses to decide which operations you are authorised to do.

In particular, the token contains a list of the github groups you are in, and this is used to grant/block access to specific namespaces in the cluster.

The token is a JWT and you can check that the correct github groups are listed by decoding it to view the contents.

Please do not paste your ID token into an online JWT decoder. Your token is an important security credential and needs to be kept secret, just like passwords or AWS keypairs.

The easiest way to check which github groups are listed in your id-token is to use the cloud platform CLI tool. If you have the CLI installed, just run:

cloud-platform kubecfg id-token-claims

You should see a JSON output similar to this:

...
  "https://k8s.integration.dsd.io/groups": [
    "github:webops",
    "github:technical-architects",
    "github:moj-cjse"
  ],
  "nickname": "digitalronin",
  "name": "David Salgado",
...

The groups listed here must include a group specified in you namespace’s 01-rbac.yml file, in the environments repository.

If you do not see the github group corresponding to the namespace you are trying to work on, you will get:

Error from server (Forbidden)...

…when you try to run commands using kubectl.

This page was last reviewed on 11 August 2021. It needs to be reviewed again on 11 November 2021 .
This page was set to be reviewed before 11 November 2021. This might mean the content is out of date.