Service Accounts
Service Accounts provide programmatic access to resources via strongDM. This document describes how you can create, view, and use Service Accounts.
strongDM allows for two types of users:
- User accounts: People users who authenticate with email address and password to access resources
- Service Accounts: Machines/programs/applications that authenticate with admin tokens to access automated processes or any automated function that needs resource access
Use Cases
Service Accounts are used for automation or for allowing programs and applications to use strongDM, when there is no live human to authenticate.
For example, a Service Account is ideal for the following:
- Continuous-integration pipelines
- Periodic extract-transform-load (ETL) jobs
- Business intelligence (BI) tools
- Jupyter Notebooks and similar self-contained analysis environments
- Containerized environments (often in conjunction with the strongDM client container) that need access to strongDM-protected Datasources
Create and View Service Accounts on the Users Page
Both User accounts and Service Accounts are provisioned on the Users page of the strongDM Admin UI. On the Users page, all Service Accounts are marked with the service tag, so you can easily distinguish them from User accounts.
Grant Access to Resources
strongDM uses Role-based privileges to control access to resources. Like User accounts, Service Accounts gain access to resources through Role Membership, via the Static and Dynamic Access Rules that have been defined for that Role. For information on how to assign a Role to an account, see Roles.
Authentication
After creating a Service Account, generating a Service Account token, and granting the account access to resources via Role Membership, you will need to authenticate the account in your environment in order to use it.
To authenticate, choose your OS and follow the setup instructions provided in the strongDM User Guide:
Usage
You can set up Service Accounts to connect clients to resources either automatically or manually.
For fully automated Service Account configurations, enable auto-connect to ensure that your clients are connected by default. Auto-connect is dependent on Port Overrides being enabled. You can configure Service Accounts to auto-connect in the Admin UI in Settings > Port Overrides.
When auto-connect is disabled, Service Account usage mimics regular User accounts. Once authenticated, Users will specify which resources they wish to connect to via the CLI or GUI.