Argo Workflow always using default serviceaccount
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
If an Argo Workflow keeps running under the namespace default service account, the usual cause is that the workflow spec never sets serviceAccountName, or the value is being overridden by workflow defaults. The fix is normally in the workflow manifest and RBAC configuration, not in the container image or the template commands.
Where the Service Account Is Chosen
For Argo Workflows, the pod service account is typically controlled at the workflow spec level:
If serviceAccountName is missing, Kubernetes falls back to the namespace default service account for the workflow pods.
Create the Service Account and Bind Permissions
Setting the name alone is not enough. The account must exist and have the permissions the workflow actually needs.
Without the RBAC binding, the workflow may start with the right account but still fail later when it tries to call the Kubernetes API.
Check Workflow Defaults and Submission Paths
If the manifest already sets serviceAccountName and Argo still uses default, inspect the workflow controller configuration and any workflow template defaults. Some installations apply defaults centrally, which can override or inject fields during submission.
Practical checks:
- inspect the submitted workflow object
- inspect the generated pod spec
- inspect the workflow controller config map
If the live workflow resource does not contain your expected service account, the override happened before pod creation.
Verify the Generated Pods
Do not stop at the workflow YAML. Confirm what Kubernetes actually created.
Look for serviceAccountName in the workflow spec and then in the pod spec. That tells you whether the wrong value came from submission, controller defaults, or pod-generation behavior.
WorkflowTemplate and CronWorkflow Cases
The same rule applies to WorkflowTemplate and CronWorkflow. The service account belongs in the workflow spec section that eventually becomes the runtime workflow.
If you place the field in the wrong section, Argo will ignore it and Kubernetes will still fall back to default.
Common Pitfalls
The most common mistake is assuming Argo will infer a non-default service account automatically. It will not unless you configure it explicitly.
Another issue is creating the service account but forgetting the role binding. That changes the identity but does not grant the required permissions.
A third problem is setting serviceAccountName in a template fragment or parent config that does not actually control the runtime workflow spec.
Summary
- Argo uses the namespace default service account when
serviceAccountNameis not set. - Put
serviceAccountNamein the workflow spec that drives pod creation. - Create the service account and bind the RBAC permissions it needs.
- Inspect the submitted workflow and generated pods to see where the wrong value appears.
- Check controller defaults and template structure if your explicit setting is being ignored.

