Service Accounts

Last modified on September 7, 2022

Service Accounts provide programmatic access to resources via strongDM. This document describes how you can create, view, and use Service Accounts.

strongDM allows for two types of users:

  • User accounts: People users who authenticate with email address and password to access resources
  • Service Accounts: Machines/programs/applications that authenticate with admin tokens to access automated processes or any automated function that needs resource access

Use Cases

Service Accounts are used for automation or for allowing programs and applications to use strongDM, when there is no live human to authenticate.

For example, a Service Account is ideal for the following:

  • Continuous-integration pipelines
  • Periodic extract-transform-load (ETL) jobs
  • Business intelligence (BI) tools
  • Jupyter Notebooks and similar self-contained analysis environments
  • Containerized environments (often in conjunction with the strongDM client container) that need access to strongDM-protected Datasources

Create and View Service Accounts on the Users Page

Both User accounts and Service Accounts are provisioned on the Users page of the strongDM Admin UI. On the Users page, all Service Accounts are marked with the service tag, so you can easily distinguish them from User accounts.

Create a Service Account

To create Service Accounts, you’ll need to have admin access to the Admin UI.

  1. In the Admin UI, select Users from the left-hand navigation.
  2. Click the Add service button.
  3. Enter a name for the Service Account. Notice that a first/last name and email address are not needed because Service Accounts are for programs/machines, not people.
  4. Click Create service account.
  5. Copy the generated Service Account token and keep it somewhere safe, as you won’t be able to see it again.

Grant Access to Resources

strongDM uses Role-based privileges to control access to resources. Like User accounts, Service Accounts gain access to resources through Role Membership, via the Static and Dynamic Access Rules that have been defined for that Role. For information on how to assign a Role to an account, see Roles.

Authentication

After creating a Service Account, generating a Service Account token, and granting the account access to resources via Role Membership, you will need to authenticate the account in your environment in order to use it.

To authenticate, choose your OS and follow the setup instructions provided in the strongDM User Guide:

Usage

You can set up Service Accounts to connect clients to resources either automatically or manually.

For fully automated Service Account configurations, enable auto-connect to ensure that your clients are connected by default. Auto-connect is dependent on Port Overrides being enabled. You can configure Service Accounts to auto-connect to datasources in the Admin UI under Settings > Security.

When auto-connect is disabled, Service Account usage mimics regular User accounts. Once authenticated, Users will specify which resources they wish to connect to via the CLI or GUI.