Checking the GitHub groups in your ID token
This guide explains how you can confirm that the token in your ~/.kube/config
file lists the correct GitHub groups.
Inside your ~/.kube/config file there is an id-token value. This token is
the credential that the cluster uses to decide which operations you are
authorised to do.
In particular, the token contains a list of the GitHub groups you are in, and this is used to grant/block access to specific namespaces in the cluster.
The token is a JWT and you can check that the correct GitHub groups are listed by decoding it to view the contents.
Please do not paste your ID token into an online JWT decoder. Your token is an important security credential and needs to be kept secret, just like passwords or AWS keypairs.
The easiest way to check which GitHub groups are listed in your id-token is to use the cloud platform CLI tool. If you have the CLI installed, just run:
cloud-platform kubecfg id-token-claims
You should see a JSON output similar to this:
...
"https://k8s.integration.dsd.io/groups": [
"github:webops",
"github:technical-architects",
"github:moj-cjse"
],
"nickname": "digitalronin",
"name": "David Salgado",
...
The groups listed here must include a group specified in you namespace’s
01-rbac.yml file, in the environments repository.
If you do not see the GitHub group corresponding to the namespace you are trying to work on, you will get:
Error from server (Forbidden)...
…when you try to run commands using kubectl.