Service Accounts

Service Accounts provide programmatic access to resources via strongDM. This document describes how you can create, view, and use Service Accounts in strongDM.

strongDM allows for two types of users:

  • User accounts: People users who authenticate with email address and password to access resources
  • Service Accounts: Machines/programs/applications that authenticate with admin tokens to access automated processes or any automated function that needs resource access

Use Cases

Service Accounts are used for automation or for allowing programs and applications to use strongDM, when there is no live human to authenticate.

For example, a Service Account is ideal for the following:

  • Continuous-integration pipelines
  • Periodic extract-transform-load (ETL) jobs
  • Business intelligence (BI) tools
  • Jupyter Notebooks and similar self-contained analysis environments
  • Containerized environments (often in conjunction with the strongDM client container) that need access to strongDM-protected Datasources

Create and View Service Accounts on the Users Page

Both User accounts and Service Accounts are provisioned on the Users page of the strongDM Admin UI. On the Users page, all Service Accounts are marked with the service tag, so you can easily distinguish them from User accounts.

Create a Service Account

To create Service Accounts, you'll need to have admin access to the Admin UI.

  1. In the Admin UI, go to the Users page.
  2. Click the add service button.
  3. Enter a name for the Service Account. Notice that a first/last name and email address are not needed because Service Accounts are for programs/machines, not people.
  4. Click create.
  5. Copy the generated Service Account token and keep it somewhere safe, as you won't be able to see it again.

Grant Access to Resources

strongDM primarily uses Role-based privileges to control access to resources, such as Datasources, Servers, Clusters, Websites, and Clouds. You can grant Service Accounts access to resources in the same way as User accounts, either directly with direct access grants or by inheritance with inherited access.

Direct access grants

Direct access grants may be assigned to accounts only when the accounts have the role called No Role or when they've been given Temporary Access to resources. When an account has No Role, it simply means that access to resources must be granted individually because there is no Role from which they can inherit access.

Any accounts without a Role are shown at the top of the Users page in the No Role section.

To grant access directly, do the following:

  1. On the Users page of the Admin UI, click the Service Account’s name to reveal its configuration. You will see resources separated in tabs by type.

  2. Click on any resources that you wish to grant to the Service Account.

Inherited access

Inherited access occurs when Service Accounts are assigned to a Role. Roles represent a collection of permissions, and they typically correspond to teams, Active Directory organizational units (OUs), use cases, or any other organizational scheme. Roles work the same for Service Accounts as they do for User accounts, so any grants assigned to a Role are inherited by all members or accounts assigned to that Role.

To grant access by inheritance, simply assign a Role to the Service Account, and the account will inherit access to all the resources granted to that Role.


After creating a Service Account, generating a Service Account token, and granting the account access to resources, you will need to authenticate the account in your environment in order to use it.

To authenticate, choose your OS and follow the setup instructions provided in the strongDM User Guide:


You can set up Service Accounts to connect clients to resources either automatically or manually.

For fully automated Service Account configurations, enable auto-connect to ensure that your clients are connected by default. Auto-connect is dependent on port overrides being enabled. You can configure Service Accounts to auto-connect in the Admin UI in Settings > Port Overrides.

When auto-connect is disabled, Service Account usage mimics regular User accounts. Once authenticated, Users will specify which resources they wish to connect to via the CLI or GUI.