added akeyless k8s auth option (#1531)

* added akeyless k8s auth option

Signed-off-by: Docs <renana@akeyless.io>

apis/externalsecrets/v1alpha1/secretstore_akeyless_types.go

@@ -29,7 +29,16 @@ type AkeylessProvider struct {
 }
 
 type AkeylessAuth struct {
+
+	// Reference to a Secret that contains the details
+	// to authenticate with Akeyless.
+	// +optional
 	SecretRef AkeylessAuthSecretRef `json:"secretRef"`
+
+	// Kubernetes authenticates with Akeyless by passing the ServiceAccount
+	// token stored in the named Secret resource.
+	// +optional
+	KubernetesAuth *AkeylessKubernetesAuth `json:"kubernetesAuth,omitempty"`
 }
 
 // AkeylessAuthSecretRef
@@ -40,3 +49,27 @@ type AkeylessAuthSecretRef struct {
 	AccessType      esmeta.SecretKeySelector `json:"accessType,omitempty"`
 	AccessTypeParam esmeta.SecretKeySelector `json:"accessTypeParam,omitempty"`
 }
+
+// Authenticate with Kubernetes ServiceAccount token stored.
+type AkeylessKubernetesAuth struct {
+
+	// the Akeyless Kubernetes auth-method access-id
+	AccessID string `json:"accessID"`
+
+	// Kubernetes-auth configuration name in Akeyless-Gateway
+	K8sConfName string `json:"k8sConfName"`
+
+	// Optional service account field containing the name of a kubernetes ServiceAccount.
+	// If the service account is specified, the service account secret token JWT will be used
+	// for authenticating with Akeyless. If the service account selector is not supplied,
+	// the secretRef will be used instead.
+	// +optional
+	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
+
+	// Optional secret field containing a Kubernetes ServiceAccount JWT used
+	// for authenticating with Akeyless. If a name is specified without a key,
+	// `token` is the default. If one is not specified, the one bound to
+	// the controller will be used.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -107,6 +107,11 @@ func (in *AWSProvider) DeepCopy() *AWSProvider {
 func (in *AkeylessAuth) DeepCopyInto(out *AkeylessAuth) {
 	*out = *in
 	in.SecretRef.DeepCopyInto(&out.SecretRef)
+	if in.KubernetesAuth != nil {
+		in, out := &in.KubernetesAuth, &out.KubernetesAuth
+		*out = new(AkeylessKubernetesAuth)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuth.
@@ -138,6 +143,31 @@ func (in *AkeylessAuthSecretRef) DeepCopy() *AkeylessAuthSecretRef {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessKubernetesAuth) DeepCopyInto(out *AkeylessKubernetesAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(metav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessKubernetesAuth.
+func (in *AkeylessKubernetesAuth) DeepCopy() *AkeylessKubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessKubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AkeylessProvider) DeepCopyInto(out *AkeylessProvider) {
 	*out = *in
 	if in.AkeylessGWApiURL != nil {

apis/externalsecrets/v1beta1/secretstore_akeyless_types.go

@@ -29,7 +29,16 @@ type AkeylessProvider struct {
 }
 
 type AkeylessAuth struct {
+
+	// Reference to a Secret that contains the details
+	// to authenticate with Akeyless.
+	// +optional
 	SecretRef AkeylessAuthSecretRef `json:"secretRef"`
+
+	// Kubernetes authenticates with Akeyless by passing the ServiceAccount
+	// token stored in the named Secret resource.
+	// +optional
+	KubernetesAuth *AkeylessKubernetesAuth `json:"kubernetesAuth,omitempty"`
 }
 
 // AkeylessAuthSecretRef
@@ -40,3 +49,27 @@ type AkeylessAuthSecretRef struct {
 	AccessType      esmeta.SecretKeySelector `json:"accessType,omitempty"`
 	AccessTypeParam esmeta.SecretKeySelector `json:"accessTypeParam,omitempty"`
 }
+
+// Authenticate with Kubernetes ServiceAccount token stored.
+type AkeylessKubernetesAuth struct {
+
+	// the Akeyless Kubernetes auth-method access-id
+	AccessID string `json:"accessID"`
+
+	// Kubernetes-auth configuration name in Akeyless-Gateway
+	K8sConfName string `json:"k8sConfName"`
+
+	// Optional service account field containing the name of a kubernetes ServiceAccount.
+	// If the service account is specified, the service account secret token JWT will be used
+	// for authenticating with Akeyless. If the service account selector is not supplied,
+	// the secretRef will be used instead.
+	// +optional
+	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
+
+	// Optional secret field containing a Kubernetes ServiceAccount JWT used
+	// for authenticating with Akeyless. If a name is specified without a key,
+	// `token` is the default. If one is not specified, the one bound to
+	// the controller will be used.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -107,6 +107,11 @@ func (in *AWSProvider) DeepCopy() *AWSProvider {
 func (in *AkeylessAuth) DeepCopyInto(out *AkeylessAuth) {
 	*out = *in
 	in.SecretRef.DeepCopyInto(&out.SecretRef)
+	if in.KubernetesAuth != nil {
+		in, out := &in.KubernetesAuth, &out.KubernetesAuth
+		*out = new(AkeylessKubernetesAuth)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuth.
@@ -138,6 +143,31 @@ func (in *AkeylessAuthSecretRef) DeepCopy() *AkeylessAuthSecretRef {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessKubernetesAuth) DeepCopyInto(out *AkeylessKubernetesAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(metav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessKubernetesAuth.
+func (in *AkeylessKubernetesAuth) DeepCopy() *AkeylessKubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessKubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AkeylessProvider) DeepCopyInto(out *AkeylessProvider) {
 	*out = *in
 	if in.AkeylessGWApiURL != nil {

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -70,9 +70,79 @@ spec:
                         description: Auth configures how the operator authenticates
                           with Akeyless.
                         properties:
+                          kubernetesAuth:
+                            description: Kubernetes authenticates with Akeyless by
+                              passing the ServiceAccount token stored in the named
+                              Secret resource.
+                            properties:
+                              accessID:
+                                description: the Akeyless Kubernetes auth-method access-id
+                                type: string
+                              k8sConfName:
+                                description: Kubernetes-auth configuration name in
+                                  Akeyless-Gateway
+                                type: string
+                              secretRef:
+                                description: Optional secret field containing a Kubernetes
+                                  ServiceAccount JWT used for authenticating with
+                                  Akeyless. If a name is specified without a key,
+                                  `token` is the default. If one is not specified,
+                                  the one bound to the controller will be used.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              serviceAccountRef:
+                                description: Optional service account field containing
+                                  the name of a kubernetes ServiceAccount. If the
+                                  service account is specified, the service account
+                                  secret token JWT will be used for authenticating
+                                  with Akeyless. If the service account selector is
+                                  not supplied, the secretRef will be used instead.
+                                properties:
+                                  audiences:
+                                    description: Audience specifies the `aud` claim
+                                      for the service account token If the service
+                                      account uses a well-known annotation for e.g.
+                                      IRSA or GCP Workload Identity then this audiences
+                                      will be appended to the list
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            required:
+                            - accessID
+                            - k8sConfName
+                            type: object
                           secretRef:
-                            description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
-                              AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                            description: Reference to a Secret that contains the details
+                              to authenticate with Akeyless.
                             properties:
                               accessID:
                                 description: The SecretAccessID is used for authentication
@@ -139,8 +209,6 @@ spec:
                                     type: string
                                 type: object
                             type: object
-                        required:
-                        - secretRef
                         type: object
                     required:
                     - akeylessGWApiURL
@@ -1491,9 +1559,79 @@ spec:
                         description: Auth configures how the operator authenticates
                           with Akeyless.
                         properties:
+                          kubernetesAuth:
+                            description: Kubernetes authenticates with Akeyless by
+                              passing the ServiceAccount token stored in the named
+                              Secret resource.
+                            properties:
+                              accessID:
+                                description: the Akeyless Kubernetes auth-method access-id
+                                type: string
+                              k8sConfName:
+                                description: Kubernetes-auth configuration name in
+                                  Akeyless-Gateway
+                                type: string
+                              secretRef:
+                                description: Optional secret field containing a Kubernetes
+                                  ServiceAccount JWT used for authenticating with
+                                  Akeyless. If a name is specified without a key,
+                                  `token` is the default. If one is not specified,
+                                  the one bound to the controller will be used.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              serviceAccountRef:
+                                description: Optional service account field containing
+                                  the name of a kubernetes ServiceAccount. If the
+                                  service account is specified, the service account
+                                  secret token JWT will be used for authenticating
+                                  with Akeyless. If the service account selector is
+                                  not supplied, the secretRef will be used instead.
+                                properties:
+                                  audiences:
+                                    description: Audience specifies the `aud` claim
+                                      for the service account token If the service
+                                      account uses a well-known annotation for e.g.
+                                      IRSA or GCP Workload Identity then this audiences
+                                      will be appended to the list
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            required:
+                            - accessID
+                            - k8sConfName
+                            type: object
                           secretRef:
-                            description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
-                              AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                            description: Reference to a Secret that contains the details
+                              to authenticate with Akeyless.
                             properties:
                               accessID:
                                 description: The SecretAccessID is used for authentication
@@ -1560,8 +1698,6 @@ spec:
                                     type: string
                                 type: object
                             type: object
-                        required:
-                        - secretRef
                         type: object
                     required:
                     - akeylessGWApiURL

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -70,9 +70,79 @@ spec:
                         description: Auth configures how the operator authenticates
                           with Akeyless.
                         properties:
+                          kubernetesAuth:
+                            description: Kubernetes authenticates with Akeyless by
+                              passing the ServiceAccount token stored in the named
+                              Secret resource.
+                            properties:
+                              accessID:
+                                description: the Akeyless Kubernetes auth-method access-id
+                                type: string
+                              k8sConfName:
+                                description: Kubernetes-auth configuration name in
+                                  Akeyless-Gateway
+                                type: string
+                              secretRef:
+                                description: Optional secret field containing a Kubernetes
+                                  ServiceAccount JWT used for authenticating with
+                                  Akeyless. If a name is specified without a key,
+                                  `token` is the default. If one is not specified,
+                                  the one bound to the controller will be used.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              serviceAccountRef:
+                                description: Optional service account field containing
+                                  the name of a kubernetes ServiceAccount. If the
+                                  service account is specified, the service account
+                                  secret token JWT will be used for authenticating
+                                  with Akeyless. If the service account selector is
+                                  not supplied, the secretRef will be used instead.
+                                properties:
+                                  audiences:
+                                    description: Audience specifies the `aud` claim
+                                      for the service account token If the service
+                                      account uses a well-known annotation for e.g.
+                                      IRSA or GCP Workload Identity then this audiences
+                                      will be appended to the list
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            required:
+                            - accessID
+                            - k8sConfName
+                            type: object
                           secretRef:
-                            description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
-                              AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                            description: Reference to a Secret that contains the details
+                              to authenticate with Akeyless.
                             properties:
                               accessID:
                                 description: The SecretAccessID is used for authentication
@@ -139,8 +209,6 @@ spec:
                                     type: string
                                 type: object
                             type: object
-                        required:
-                        - secretRef
                         type: object
                     required:
                     - akeylessGWApiURL
@@ -1491,9 +1559,79 @@ spec:
                         description: Auth configures how the operator authenticates
                           with Akeyless.
                         properties:
+                          kubernetesAuth:
+                            description: Kubernetes authenticates with Akeyless by
+                              passing the ServiceAccount token stored in the named
+                              Secret resource.
+                            properties:
+                              accessID:
+                                description: the Akeyless Kubernetes auth-method access-id
+                                type: string
+                              k8sConfName:
+                                description: Kubernetes-auth configuration name in
+                                  Akeyless-Gateway
+                                type: string
+                              secretRef:
+                                description: Optional secret field containing a Kubernetes
+                                  ServiceAccount JWT used for authenticating with
+                                  Akeyless. If a name is specified without a key,
+                                  `token` is the default. If one is not specified,
+                                  the one bound to the controller will be used.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              serviceAccountRef:
+                                description: Optional service account field containing
+                                  the name of a kubernetes ServiceAccount. If the
+                                  service account is specified, the service account
+                                  secret token JWT will be used for authenticating
+                                  with Akeyless. If the service account selector is
+                                  not supplied, the secretRef will be used instead.
+                                properties:
+                                  audiences:
+                                    description: Audience specifies the `aud` claim
+                                      for the service account token If the service
+                                      account uses a well-known annotation for e.g.
+                                      IRSA or GCP Workload Identity then this audiences
+                                      will be appended to the list
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            required:
+                            - accessID
+                            - k8sConfName
+                            type: object
                           secretRef:
-                            description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
-                              AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                            description: Reference to a Secret that contains the details
+                              to authenticate with Akeyless.
                             properties:
                               accessID:
                                 description: The SecretAccessID is used for authentication
@@ -1560,8 +1698,6 @@ spec:
                                     type: string
                                 type: object
                             type: object
-                        required:
-                        - secretRef
                         type: object
                     required:
                     - akeylessGWApiURL

deploy/crds/bundle.yaml

@@ -437,8 +437,51 @@ spec:
                         authSecretRef:
                           description: Auth configures how the operator authenticates with Akeyless.
                           properties:
+                            kubernetesAuth:
+                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
+                              properties:
+                                accessID:
+                                  description: the Akeyless Kubernetes auth-method access-id
+                                  type: string
+                                k8sConfName:
+                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
+                                  type: string
+                                secretRef:
+                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                serviceAccountRef:
+                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
+                                  properties:
+                                    audiences:
+                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+                                      items:
+                                        type: string
+                                      type: array
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - accessID
+                                - k8sConfName
+                              type: object
                             secretRef:
-                              description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
                               properties:
                                 accessID:
                                   description: The SecretAccessID is used for authentication
@@ -480,8 +523,6 @@ spec:
                                       type: string
                                   type: object
                               type: object
-                          required:
-                            - secretRef
                           type: object
                       required:
                         - akeylessGWApiURL
@@ -1473,8 +1514,51 @@ spec:
                         authSecretRef:
                           description: Auth configures how the operator authenticates with Akeyless.
                           properties:
+                            kubernetesAuth:
+                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
+                              properties:
+                                accessID:
+                                  description: the Akeyless Kubernetes auth-method access-id
+                                  type: string
+                                k8sConfName:
+                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
+                                  type: string
+                                secretRef:
+                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                serviceAccountRef:
+                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
+                                  properties:
+                                    audiences:
+                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+                                      items:
+                                        type: string
+                                      type: array
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - accessID
+                                - k8sConfName
+                              type: object
                             secretRef:
-                              description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
                               properties:
                                 accessID:
                                   description: The SecretAccessID is used for authentication
@@ -1516,8 +1600,6 @@ spec:
                                       type: string
                                   type: object
                               type: object
-                          required:
-                            - secretRef
                           type: object
                       required:
                         - akeylessGWApiURL
@@ -3226,8 +3308,51 @@ spec:
                         authSecretRef:
                           description: Auth configures how the operator authenticates with Akeyless.
                           properties:
+                            kubernetesAuth:
+                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
+                              properties:
+                                accessID:
+                                  description: the Akeyless Kubernetes auth-method access-id
+                                  type: string
+                                k8sConfName:
+                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
+                                  type: string
+                                secretRef:
+                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                serviceAccountRef:
+                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
+                                  properties:
+                                    audiences:
+                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+                                      items:
+                                        type: string
+                                      type: array
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - accessID
+                                - k8sConfName
+                              type: object
                             secretRef:
-                              description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
                               properties:
                                 accessID:
                                   description: The SecretAccessID is used for authentication
@@ -3269,8 +3394,6 @@ spec:
                                       type: string
                                   type: object
                               type: object
-                          required:
-                            - secretRef
                           type: object
                       required:
                         - akeylessGWApiURL
@@ -4262,8 +4385,51 @@ spec:
                         authSecretRef:
                           description: Auth configures how the operator authenticates with Akeyless.
                           properties:
+                            kubernetesAuth:
+                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
+                              properties:
+                                accessID:
+                                  description: the Akeyless Kubernetes auth-method access-id
+                                  type: string
+                                k8sConfName:
+                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
+                                  type: string
+                                secretRef:
+                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                serviceAccountRef:
+                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
+                                  properties:
+                                    audiences:
+                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
+                                      items:
+                                        type: string
+                                      type: array
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - accessID
+                                - k8sConfName
+                              type: object
                             secretRef:
-                              description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
                               properties:
                                 accessID:
                                   description: The SecretAccessID is used for authentication
@@ -4305,8 +4471,6 @@ spec:
                                       type: string
                                   type: object
                               type: object
-                          required:
-                            - secretRef
                           type: object
                       required:
                         - akeylessGWApiURL

docs/provider/akeyless.md

@@ -1,12 +1,12 @@
 ## Akeyless Vault
 
-External Secrets Operator integrates with [Akeyless API](https://docs.akeyless.io/reference#v2).
+External Secrets Operator integrates with the [Akeyless API](https://docs.akeyless.io/reference#v2).
 
 ### Authentication
 
-The API requires an access-id, access-type and access-Type-param.
+To operate the API first define an access-id, access-type and access-Type-param.
 
-The supported auth-methods and their params are:
+The supported auth-methods and their parameters are:
 
 | accessType  | accessTypeParam                                                                                                                                                                                                                      |
 | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -16,17 +16,17 @@ The supported auth-methods and their params are:
 | `gcp` |      The gcp audience                                                      |
 | `azure_ad` |  azure object id  (optional)                                                          |
 
-form more information about [Akeyless Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods)
+For more information see [Akeyless Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods)
 
-### Akeless credentials secret
+### Creating an Akeyless Ccredentials Secret
 
-Create a secret containing your credentials:
+Create a secret containing your credentials using the following example as a guide:
 
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
-  name: akeylss-secret-creds
+  name: akeyless-secret-creds
 type: Opaque
 stringData:
   accessId: "p-XXXX"
@@ -34,16 +34,31 @@ stringData:
   accessTypeParam:  # can be one of the following: k8s-conf-name/gcp-audience/azure-obj-id/access-key
 ```
 
-### Update secret store
-Be sure the `akeyless` provider is listed in the `Kind=SecretStore` and the `akeylessGWApiURL` is set (def: "https://api.akeless.io".
+### Update Secret Store
+Be sure the `akeyless` provider is listed in the `Kind=SecretStore` and the `akeylessGWApiURL` is set (def: "https://api.akeless.io").
 
 ```yaml
 {% include 'akeyless-secret-store.yaml' %}
 ```
-**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `accessID`, `accessType` and `accessTypeParam` with the namespaces where the secrets reside.
-### Creating external secret
+**NOTE:** In case of a `ClusterSecretStore`, be sure to provide `namespace` for `accessID`, `accessType` and `accessTypeParam`  according to the namespaces where the secrets reside.
 
-To get a secret from Akeyless and secret it on the Kubernetes cluster, a `Kind=ExternalSecret` is needed.
+### Authentication with Kubernetes
+
+Options for obtaining Kubernetes credentials include:
+
+1. Using a service account jwt referenced in serviceAccountRef
+2. Using the jwt from a Kind=Secret referenced by the secretRef
+3. Using transient credentials from the mounted service account token within the external-secrets operator
+
+```yaml
+{% include 'akeyless-secret-store-k8s-auth.yaml' %}
+```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `serviceAccountRef` and `secretRef` according to  the namespaces where the secrets reside.
+
+
+### Creating an external secret
+
+To get a secret from Akeyless and create it as a secret on the Kubernetes cluster, a `Kind=ExternalSecret` is needed.
 
 ```yaml
 {% include 'akeyless-external-secret.yaml' %}
@@ -58,7 +73,7 @@ DataFrom can be used to get a secret as a JSON string and attempt to parse it.
 {% include 'akeyless-external-secret-json.yaml' %}
 ```
 
-### Getting the Kubernetes secret
+### Getting the Kubernetes Secret
 The operator will fetch the secret and inject it as a `Kind=Secret`.
 ```
 kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d

docs/snippets/akeyless-credentials-secret.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: akeylss-secret-creds
+  name: akeyless-secret-creds
 type: Opaque
 stringData:
   accessId: "p-XXXX"

docs/snippets/akeyless-secret-store-k8s-auth.yaml

@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: akeyless-secret-store
+spec:
+  provider:
+    akeyless:
+      # URL of your akeyless API
+      akeylessGWApiURL: "https://api.akeyless.io"
+      authSecretRef:
+        kubernetesAuth:
+          accessID: "p-XXXXXX"
+          k8sConfName: "my-conf-name"
+
+          # Optional service account field containing the name
+          # of a kubernetes ServiceAccount
+          serviceAccountRef:
+            name: "my-sa"
+
+          # Optional secret field containing a Kubernetes ServiceAccount JWT
+          # used for authenticating with Akeyless
+          secretRef:
+            name: "my-secret"
+            key: "token"

docs/snippets/akeyless-secret-store.yaml

@@ -10,11 +10,11 @@ spec:
       authSecretRef:
         secretRef:
           accessID:
-            name: akeylss-secret-creds
+            name: akeyless-secret-creds
             key: accessId
           accessType:
-            name: akeylss-secret-creds
+            name: akeyless-secret-creds
             key: accessType
           accessTypeParam:
-            name: akeylss-secret-creds
+            name: akeyless-secret-creds
             key: accessTypeParam

pkg/provider/akeyless/akeyless.go

@@ -23,7 +23,10 @@ import (
 	"time"
 
 	"github.com/akeylesslabs/akeyless-go/v2"
+	"k8s.io/client-go/kubernetes"
+	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -44,6 +47,7 @@ type Provider struct{}
 type akeylessBase struct {
 	kube      client.Client
 	store     esv1beta1.GenericStore
+	corev1    typedcorev1.CoreV1Interface
 	namespace string
 
 	akeylessGwAPIURL string
@@ -68,7 +72,19 @@ func init() {
 
 // NewClient constructs a new secrets client based on the provided store.
 func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
-	return newClient(ctx, store, kube, namespace)
+	// controller-runtime/client does not support TokenRequest or other subresource APIs
+	// so we need to construct our own client and use it to fetch tokens
+	// (for Kubernetes service account token auth)
+	restCfg, err := ctrlcfg.GetConfig()
+	if err != nil {
+		return nil, err
+	}
+	clientset, err := kubernetes.NewForConfig(restCfg)
+	if err != nil {
+		return nil, err
+	}
+
+	return newClient(ctx, store, kube, clientset.CoreV1(), namespace)
 }
 
 func (p *Provider) ValidateStore(store esv1beta1.GenericStore) error {
@@ -87,6 +103,28 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) error {
 			return fmt.Errorf(errInvalidAkeylessURL)
 		}
 	}
+	if akeylessSpec.Auth.KubernetesAuth != nil {
+		if akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef != nil {
+			if err := utils.ValidateReferentServiceAccountSelector(store, *akeylessSpec.Auth.KubernetesAuth.ServiceAccountRef); err != nil {
+				return fmt.Errorf(errInvalidKubeSA, err)
+			}
+		}
+		if akeylessSpec.Auth.KubernetesAuth.SecretRef != nil {
+			err := utils.ValidateSecretSelector(store, *akeylessSpec.Auth.KubernetesAuth.SecretRef)
+			if err != nil {
+				return err
+			}
+		}
+
+		if akeylessSpec.Auth.KubernetesAuth.AccessID == "" {
+			return fmt.Errorf("missing kubernetes auth-method access-id")
+		}
+
+		if akeylessSpec.Auth.KubernetesAuth.K8sConfName == "" {
+			return fmt.Errorf("missing kubernetes config name")
+		}
+		return nil
+	}
 
 	accessID := akeylessSpec.Auth.SecretRef.AccessID
 	err := utils.ValidateSecretSelector(store, accessID)
@@ -117,11 +155,12 @@ func (p *Provider) ValidateStore(store esv1beta1.GenericStore) error {
 	return nil
 }
 
-func newClient(_ context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
+func newClient(_ context.Context, store esv1beta1.GenericStore, kube client.Client, corev1 typedcorev1.CoreV1Interface, namespace string) (esv1beta1.SecretsClient, error) {
 	akl := &akeylessBase{
 		kube:      kube,
 		store:     store,
 		namespace: namespace,
+		corev1:    corev1,
 	}
 
 	spec, err := GetAKeylessProvider(store)

pkg/provider/akeyless/akeyless_api.go

@@ -28,26 +28,34 @@ import (
 	azure_cloud_id "github.com/akeylesslabs/akeyless-go-cloud-id/cloudprovider/azure"
 	gcp_cloud_id "github.com/akeylesslabs/akeyless-go-cloud-id/cloudprovider/gcp"
 	"github.com/akeylesslabs/akeyless-go/v2"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
 var apiErr akeyless.GenericOpenAPIError
 
 const DefServiceAccountFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 
-func (a *akeylessBase) GetToken(accessID, accType, accTypeParam string) (string, error) {
+func (a *akeylessBase) GetToken(accessID, accType, accTypeParam string, k8sAuth *esv1beta1.AkeylessKubernetesAuth) (string, error) {
 	ctx := context.Background()
 	authBody := akeyless.NewAuthWithDefaults()
 	authBody.AccessId = akeyless.PtrString(accessID)
 	if accType == "api_key" || accType == "access_key" {
 		authBody.AccessKey = akeyless.PtrString(accTypeParam)
 	} else if accType == "k8s" {
-		jwtString, err := readK8SServiceAccountJWT()
+		jwtString, err := a.getK8SServiceAccountJWT(ctx, k8sAuth)
 		if err != nil {
 			return "", fmt.Errorf("failed to read JWT with Kubernetes Auth from %v. error: %w", DefServiceAccountFile, err)
 		}
+		jwtStringBase64 := base64.StdEncoding.EncodeToString([]byte(jwtString))
 		K8SAuthConfigName := accTypeParam
 		authBody.AccessType = akeyless.PtrString(accType)
-		authBody.K8sServiceAccountToken = akeyless.PtrString(jwtString)
+		authBody.K8sServiceAccountToken = akeyless.PtrString(jwtStringBase64)
 		authBody.K8sAuthConfigName = akeyless.PtrString(K8SAuthConfigName)
 	} else {
 		cloudID, err := a.getCloudID(accType, accTypeParam)
@@ -240,6 +248,117 @@ func (a *akeylessBase) getCloudID(provider, accTypeParam string) (string, error)
 	return cloudID, err
 }
 
+func (a *akeylessBase) getK8SServiceAccountJWT(ctx context.Context, kubernetesAuth *esv1beta1.AkeylessKubernetesAuth) (string, error) {
+	if kubernetesAuth.ServiceAccountRef != nil {
+		// Kubernetes <v1.24 fetch token via ServiceAccount.Secrets[]
+		jwt, err := a.getJWTFromServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
+		if jwt != "" {
+			return jwt, err
+		}
+		// Kubernetes >=v1.24: fetch token via TokenRequest API
+		jwt, err = a.getJWTfromServiceAccountToken(ctx, *kubernetesAuth.ServiceAccountRef, nil, 600)
+		if err != nil {
+			return "", err
+		}
+		return jwt, nil
+	} else if kubernetesAuth.SecretRef != nil {
+		tokenRef := kubernetesAuth.SecretRef
+		if tokenRef.Key == "" {
+			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
+			tokenRef.Key = "token"
+		}
+		jwt, err := a.secretKeyRef(ctx, tokenRef)
+		if err != nil {
+			return "", err
+		}
+		return jwt, nil
+	} else {
+		return readK8SServiceAccountJWT()
+	}
+}
+
+func (a *akeylessBase) getJWTFromServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
+	serviceAccount := &corev1.ServiceAccount{}
+	ref := types.NamespacedName{
+		Namespace: a.namespace,
+		Name:      serviceAccountRef.Name,
+	}
+	if (a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind) &&
+		(serviceAccountRef.Namespace != nil) {
+		ref.Namespace = *serviceAccountRef.Namespace
+	}
+	err := a.kube.Get(ctx, ref, serviceAccount)
+	if err != nil {
+		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
+	}
+	if len(serviceAccount.Secrets) == 0 {
+		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
+	}
+	for _, tokenRef := range serviceAccount.Secrets {
+		retval, err := a.secretKeyRef(ctx, &esmeta.SecretKeySelector{
+			Name:      tokenRef.Name,
+			Namespace: &ref.Namespace,
+			Key:       "token",
+		})
+		if err != nil {
+			continue
+		}
+
+		return retval, nil
+	}
+	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
+}
+
+func (a *akeylessBase) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
+	secret := &corev1.Secret{}
+	ref := types.NamespacedName{
+		Namespace: a.namespace,
+		Name:      secretRef.Name,
+	}
+	if (a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind) &&
+		(secretRef.Namespace != nil) {
+		ref.Namespace = *secretRef.Namespace
+	}
+	err := a.kube.Get(ctx, ref, secret)
+	if err != nil {
+		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
+	}
+
+	keyBytes, ok := secret.Data[secretRef.Key]
+	if !ok {
+		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
+	}
+
+	value := string(keyBytes)
+	valueStr := strings.TrimSpace(value)
+	return valueStr, nil
+}
+
+func (a *akeylessBase) getJWTfromServiceAccountToken(ctx context.Context, serviceAccountRef esmeta.ServiceAccountSelector, additionalAud []string, expirationSeconds int64) (string, error) {
+	audiences := serviceAccountRef.Audiences
+	if len(additionalAud) > 0 {
+		audiences = append(audiences, additionalAud...)
+	}
+	tokenRequest := &authenticationv1.TokenRequest{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: a.namespace,
+		},
+		Spec: authenticationv1.TokenRequestSpec{
+			Audiences:         audiences,
+			ExpirationSeconds: &expirationSeconds,
+		},
+	}
+	if (a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind) &&
+		(serviceAccountRef.Namespace != nil) {
+		tokenRequest.Namespace = *serviceAccountRef.Namespace
+	}
+	tokenResponse, err := a.corev1.ServiceAccounts(tokenRequest.Namespace).CreateToken(ctx, serviceAccountRef.Name, tokenRequest, metav1.CreateOptions{})
+	if err != nil {
+		return "", fmt.Errorf(errGetKubeSATokenRequest, serviceAccountRef.Name, err)
+	}
+	return tokenResponse.Status.Token, nil
+}
+
 // readK8SServiceAccountJWT reads the JWT data for the Agent to submit to Akeyless Gateway.
 func readK8SServiceAccountJWT() (string, error) {
 	data, err := os.Open(DefServiceAccountFile)
@@ -253,7 +372,6 @@ func readK8SServiceAccountJWT() (string, error) {
 		return "", err
 	}
 
-	a := strings.TrimSpace(string(contentBytes))
-
-	return base64.StdEncoding.EncodeToString([]byte(a)), nil
+	jwt := strings.TrimSpace(string(contentBytes))
+	return jwt, nil
 }

pkg/provider/akeyless/akeyless_test.go

@@ -130,36 +130,107 @@ func TestValidateStore(t *testing.T) {
 
 	akeylessGWApiURL := ""
 
-	store := &esv1beta1.SecretStore{
-		Spec: esv1beta1.SecretStoreSpec{
-			Provider: &esv1beta1.SecretStoreProvider{
-				Akeyless: &esv1beta1.AkeylessProvider{
-					AkeylessGWApiURL: &akeylessGWApiURL,
-					Auth: &esv1beta1.AkeylessAuth{
-						SecretRef: esv1beta1.AkeylessAuthSecretRef{
-							AccessID: esmeta.SecretKeySelector{
-								Name: "accessId",
-								Key:  "key-1",
+	t.Run("secret auth", func(t *testing.T) {
+		store := &esv1beta1.SecretStore{
+			Spec: esv1beta1.SecretStoreSpec{
+				Provider: &esv1beta1.SecretStoreProvider{
+					Akeyless: &esv1beta1.AkeylessProvider{
+						AkeylessGWApiURL: &akeylessGWApiURL,
+						Auth: &esv1beta1.AkeylessAuth{
+							SecretRef: esv1beta1.AkeylessAuthSecretRef{
+								AccessID: esmeta.SecretKeySelector{
+									Name: "accessId",
+									Key:  "key-1",
+								},
+								AccessType: esmeta.SecretKeySelector{
+									Name: "accessId",
+									Key:  "key-1",
+								},
+								AccessTypeParam: esmeta.SecretKeySelector{
+									Name: "accessId",
+									Key:  "key-1",
+								},
 							},
-							AccessType: esmeta.SecretKeySelector{
-								Name: "accessId",
-								Key:  "key-1",
+						},
+					},
+				},
+			},
+		}
+
+		err := provider.ValidateStore(store)
+		if err != nil {
+			t.Errorf(err.Error())
+		}
+	})
+
+	t.Run("k8s auth", func(t *testing.T) {
+		store := &esv1beta1.SecretStore{
+			Spec: esv1beta1.SecretStoreSpec{
+				Provider: &esv1beta1.SecretStoreProvider{
+					Akeyless: &esv1beta1.AkeylessProvider{
+						AkeylessGWApiURL: &akeylessGWApiURL,
+						Auth: &esv1beta1.AkeylessAuth{
+							KubernetesAuth: &esv1beta1.AkeylessKubernetesAuth{
+								K8sConfName: "name",
+								AccessID:    "id",
+								ServiceAccountRef: &esmeta.ServiceAccountSelector{
+									Name: "name",
+								},
 							},
-							AccessTypeParam: esmeta.SecretKeySelector{
-								Name: "accessId",
-								Key:  "key-1",
+						},
+					},
+				},
+			},
+		}
+
+		err := provider.ValidateStore(store)
+		if err != nil {
+			t.Errorf(err.Error())
+		}
+	})
+
+	t.Run("bad conf auth", func(t *testing.T) {
+		store := &esv1beta1.SecretStore{
+			Spec: esv1beta1.SecretStoreSpec{
+				Provider: &esv1beta1.SecretStoreProvider{
+					Akeyless: &esv1beta1.AkeylessProvider{
+						AkeylessGWApiURL: &akeylessGWApiURL,
+						Auth:             &esv1beta1.AkeylessAuth{},
+					},
+				},
+			},
+		}
+
+		err := provider.ValidateStore(store)
+		if err == nil {
+			t.Errorf("expected an error")
+		}
+	})
+
+	t.Run("bad k8s conf auth", func(t *testing.T) {
+		store := &esv1beta1.SecretStore{
+			Spec: esv1beta1.SecretStoreSpec{
+				Provider: &esv1beta1.SecretStoreProvider{
+					Akeyless: &esv1beta1.AkeylessProvider{
+						AkeylessGWApiURL: &akeylessGWApiURL,
+						Auth: &esv1beta1.AkeylessAuth{
+							KubernetesAuth: &esv1beta1.AkeylessKubernetesAuth{
+								AccessID: "id",
+								ServiceAccountRef: &esmeta.ServiceAccountSelector{
+									Name: "name",
+								},
 							},
 						},
 					},
 				},
 			},
-		},
-	}
+		}
 
-	err := provider.ValidateStore(store)
-	if err != nil {
-		t.Errorf(err.Error())
-	}
+		err := provider.ValidateStore(store)
+		if err == nil {
+			t.Errorf("expected an error")
+		}
+	})
 }
 
 func TestGetSecretMap(t *testing.T) {

pkg/provider/akeyless/auth.go

@@ -39,6 +39,11 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 		return "", err
 	}
 
+	if prov.Auth.KubernetesAuth != nil {
+		auth := prov.Auth.KubernetesAuth
+		return a.GetToken(auth.AccessID, "k8s", auth.K8sConfName, auth)
+	}
+
 	ke := client.ObjectKey{
 		Name:      prov.Auth.SecretRef.AccessID.Name,
 		Namespace: a.namespace, // default to ExternalSecret namespace
@@ -99,5 +104,5 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 		return "", fmt.Errorf(errMissingAKID)
 	}
 
-	return a.GetToken(accessID, accessType, accessTypeParam)
+	return a.GetToken(accessID, accessType, accessTypeParam, prov.Auth.KubernetesAuth)
 }

pkg/provider/akeyless/utils.go

@@ -34,6 +34,13 @@ const (
 	errInvalidAkeylessURL           = "invalid akeyless GW API URL"
 	errInvalidAkeylessAccessIDName  = "missing akeyless accessID name"
 	errInvalidAkeylessAccessIDKey   = "missing akeyless accessID key"
+	errGetKubeSecret                = "cannot get Kubernetes secret %q: %w"
+	errSecretKeyFmt                 = "cannot find secret data for key: %q"
+	errGetKubeSA                    = "cannot get Kubernetes service account %q: %w"
+	errGetKubeSASecrets             = "cannot find secrets bound to service account: %q"
+	errGetKubeSANoToken             = "cannot find token in secrets bound to service account: %q"
+	errGetKubeSATokenRequest        = "cannot request Kubernetes service account token for service account %q: %w"
+	errInvalidKubeSA                = "invalid Auth.Kubernetes.ServiceAccountRef: %w"
 )
 
 // GetAKeylessProvider does the necessary nil checks and returns the akeyless provider or an error.