service-accounts-admin.md: Explain invalidating short-lived tokens

jplitza · web-flow · commit 7b03fd4d8bd4 · 2024-12-09T14:39:33.000+01:00
diff --git a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md
@@ -506,6 +506,8 @@ time. Please refer to [auto-generated legacy ServiceAccount token clean up](#aut
 
 ## Delete/invalidate a ServiceAccount token {#delete-token}
 
+### Delete/invalidate a long-lived/legacy ServiceAccount token {#delete-legacy-token}
+
 If you know the name of the Secret that contains the token you want to remove:
 
 ```shell
@@ -544,6 +546,17 @@ Then, delete the Secret you now know the name of:
 kubectl -n examplens delete secret/example-automated-thing-token-zyxwv
 ```
 
+### Delete/invalidate a short-lived ServiceAccount token {#delete-short-lived}
+
+Short lived ServiceAccount tokens automatically expire after the amount
+specified during their creation. There is no central record of tokens issued,
+so there is no way to revoke individual tokens.
+
+If you absolutely have to revoke a short-lived token before its expiration, you
+can delete and re-create the ServiceAccount it is associated to. This will
+change its UID and hence invalidate **all** ServiceAccount tokens that were
+created for it.
+
 ## Clean up
 
 If you created a namespace `examplens` to experiment with, you can remove it:
