Istio 1.7 - Setup for JWT Auth


I’ve got 4 websites with different domains and different auth services. All of them are using jwt for authentication. All of them are located in separate names paces, except the data storage which are in a namespace used by all of them. Now I’d like to use the jwt authentication policies of istio. But on some sites it’s mentioned that I’ve got to enable the service account token projection in kubernetes to use that policies.
Is that true or can I use the policies without the projections?


who is issuing the JWT token? You only need to make sure istio is able to get the jwks from the issuer (usually specified by the jwksUri field in the RequestAuthentication), and then use the AuthorizationPolicy to enforce actual access control based on the JWT claims.

You don’t need the service account token project in k8s, that’s for a separate thing, do not get it confused with your end user JWT token authentication.