Troubleshooting Service Account Authentication

Token invalid or expired

Commands or API calls authenticated with a Service Account token fail with:

error: The token provided is invalid or expired.

This applies to tokens created with kubectl create token for use outside the cluster. Pods running inside the cluster are not affected - they receive fresh tokens automatically on startup.

Possible causes

Token duration elapsed

Tokens created with kubectl create token` have a limited lifetime (the default is 1 hour; a custom duration can be set with --duration). Once the duration elapses, the token is rejected.
Service Account was deleted and recreated

Tokens created via kubectl create token are bound to the Service Account’s internal identifier (UID). If the Service Account was deleted and later recreated — for example during namespace management or a restore from backup — the new Service Account receives a new UID. Any token that was generated before the deletion still references the old UID, so the API server rejects it regardless of its expiry timestamp.

Resolution

Generate a new token for the affected Service Account:

kubectl create token <sa-name> --duration=<duration> -n <namespace>

The token is printed to stdout - copy it immediately.

Then update every external system that was using the old token.

If a consumer caches the token in memory (e.g. a running Jenkins instance), restart it or manually refresh its credentials after updating the token.