Is there a good way in native Pulumi to get the token (secret) of a service account I created. ServiceAccount.secrets will give me the name of the token created, so I think I just need to be able to read a secret created outside of Pulumi?

It is not easy. We use this to get the token:

secret_name = service_account.secrets[0]["name"]
secret = pulumi.Output.all(
    namespace_name=namespace.metadata.name,
    secret_name=secret_name
).apply(
    lambda args:
    kubernetes.core.v1.Secret.get(
        name,
        f"{args['namespace_name']}/{args['secret_name']}",
        opts=pulumi.ResourceOptions(parent=self),
    )
)
token=secret.data["token"]

Actual it is base64 encoded so the last line could be:

token=secret.data["token"].apply(
    lambda token: base64.b64decode(token).decode()
)

Ah I didn’t realize there was a .get available for secret