Configure migrations to use service accounts in ARO
If you set up migrations and migration schedules using user accounts, you will encounter token expiration-related errors. To avoid these errors, Portworx, Inc. recommends setting up migration and migration schedules using service accounts.  In contrast to user accounts, which expire after a specified interval of time has passed, service account tokens do not expire. Using service accounts ensures that you will not encounter token expiration-related errors. See the User accounts versus service accounts section of the Kubernetes documentation for more details about the differences between service accounts and user accounts.  Perform the following steps on the destination cluster to configure migrations to use service accounts. 
Create a service account and a cluster role binding
Follow the instructions in the following sections to create a service account and cluster role binding.
Create a service account
- 
Create a file called service-account-migration.yamlwith the following content, specifying thenamespace:to match one of the existing namespaces in your cluster. For this example we will use thedefaultnamespace:apiVersion: v1
 kind: ServiceAccount
 metadata:
 name: migration
 namespace: default
- 
Apply the spec:  oc apply -f service-account-migration.yaml
Create a Secret
- For Kubernetes version 1.24 or newer, you also need to create a secret. In the example below, the name in the annotation kubernetes.io/service-account.namemust match the name of the service account that you created. 
apiVersion: v1
kind: Secret
metadata:
  name: migration
  namespace: default
  annotations: 
    kubernetes.io/service-account.name: migration
type: kubernetes.io/service-account-token
- Apply the secret:
oc apply -f <migrationsecretname>.yaml
Create a cluster role binding
- Create a file called cluster-role-binding-migration.yamlwith the following content, specifying thenamespace:field to match the namespace in the previous step:apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
 name: migration-clusterrolebinding
 roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: cluster-admin
 subjects:
 - kind: ServiceAccount
 name: migration
 namespace: default
The roleRef.name field is set to cluster-admin. For details about super-user access, see the User-facing roles section of the Kubernetes documentation.
- Apply the spec: 
oc apply -f cluster-role-binding-migration.yaml
Create a kubeconfig file
- Download the create-migration-config.sh script file. Edit the file and change the values of the SERVERandNAMESPACEvariables to match your environment.
- To create a kubeconfig file, enter the following commands:
chmod +x create-migration-config.sh && ./create-migration-config.sh > ~/.kube/migration-config.conf
- Set the value of the KUBECONFIGenvironment variable to point to the kubeconfig file that you created in the previous step: export KUBECONFIG=~/.kube/migration-config.conf
Create a ClusterPair
- Generate kubeconfigfiles, using the Create a kubeconfig file procedure.
- Create an asynchronous DR ClusterPair depending upon your environment.