Skip to content

[1.16] Clarify Service Account token requirements for secretKeyRef with auto-loaded Kubernetes secret store #5014

New issue
New issue
Open
Open
[1.16] Clarify Service Account token requirements for secretKeyRef with auto-loaded Kubernetes secret store#5014
Labels
content/incorrect-informationContent in the docs is incorrect
@MyMirelHub

Description

@MyMirelHub
MyMirelHub
opened on Jan 20, 2026

Describe the issue
The Service Account tokens section states that component secrets don't require a token, but omits that Dapr auto-loads a built-in Kubernetes secret store in the sidecar that requires a token to initialize. This causes pods to crash with stat /home/nonroot/.kube/config: no such file or directory when using automountServiceAccountToken: false.

URL of the docs
https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#service-account-tokens

Expected content
Documentation should clarify that:

  1. The Operator resolves secretKeyRef without a pod token (works as stated)
  2. The sidecar auto-loads a Kubernetes secret store that needs a token
  3. Use annotation dapr.io/disable-builtin-k8s-secret-store: "true" to run with automountServiceAccountToken: false

Metadata

Metadata

Assignees

No one assigned

    Labels

    content/incorrect-informationContent in the docs is incorrect

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions