Back to all scenarios
Scenario #291
Security
Kubernetes v1.23, AKS

Service Account Token Leakage via Logs

Application inadvertently logged its mounted service account token, exposing it to log aggregation systems.

Find this helpful?
What Happened

A misconfigured logging library dumped all environment variables and mounted file contents at startup, including the token from /var/run/secrets/kubernetes.io/serviceaccount/token.

Diagnosis Steps
  • 1Searched central logs for token patterns.
  • 2Confirmed multiple logs contained valid JWTs.
  • 3Validated token usage in audit logs.
Root Cause

Poor logging hygiene in application code.

Fix/Workaround
• Rotated all impacted service account tokens.
• Added environment and file sanitization to logging library.
Lessons Learned

Tokens are sensitive credentials and should never be logged.

How to Avoid
  • 1Add a startup check to prevent token exposure.
  • 2Use static analysis or OPA to block risky mounts/logs.
Previous ScenarioNext Scenario