Service Accounts provide programmatic access to resources via strongDM. This document describes how you can create, view, and use Service Accounts in strongDM.
strongDM allows for two types of users:
- User accounts: People users who authenticate with email address and password to access resources
- Service Accounts: Machines/programs/applications that authenticate with admin tokens to access automated processes or any automated function that needs resource access
Service Accounts are used for automation or for allowing programs and applications to use strongDM, when there is no live human to authenticate.
For example, a Service Account is ideal for the following:
- Continuous-integration pipelines
- Periodic extract-transform-load (ETL) jobs
- Business intelligence (BI) tools
- Jupyter Notebooks and similar self-contained analysis environments
- Containerized environments (often in conjunction with the strongDM client container) that need access to strongDM-protected Datasources
Create and View Service Accounts on the Users Page
Both User accounts and Service Accounts are provisioned on the Users page of the strongDM Admin UI. On the Users page, all Service Accounts are marked with the service tag, so you can easily distinguish them from User accounts.
Grant Access to Resources
strongDM primarily uses Role-based privileges to control access to resources, such as Datasources, Servers, Clusters, Websites, and Clouds. You can grant Service Accounts access to resources in the same way as User accounts, either directly with direct access grants or by inheritance with inherited access.
Direct access grants
Direct access grants may be assigned to accounts only when the accounts have the role called No Role or when they've been given Temporary Access to resources. When an account has No Role, it simply means that access to resources must be granted individually because there is no Role from which they can inherit access.
Any accounts without a Role are shown at the top of the Users page in the No Role section.
To grant access directly, do the following:
On the Users page of the Admin UI, click the Service Account’s name to reveal its configuration. You will see resources separated in tabs by type.
Click on any resources that you wish to grant to the Service Account.
Inherited access occurs when Service Accounts are assigned to a Role. Roles represent a collection of permissions, and they typically correspond to teams, Active Directory organizational units (OUs), use cases, or any other organizational scheme. Roles work the same for Service Accounts as they do for User accounts, so any grants assigned to a Role are inherited by all members or accounts assigned to that Role.
To grant access by inheritance, simply assign a Role to the Service Account, and the account will inherit access to all the resources granted to that Role.
After creating a Service Account, generating a Service Account token, and granting the account access to resources, you will need to authenticate the account in your environment in order to use it.
To authenticate, choose your OS and follow the setup instructions provided in the strongDM User Guide:
You can set up Service Accounts to connect clients to resources either automatically or manually.
For fully automated Service Account configurations, enable auto-connect to ensure that your clients are connected by default. Auto-connect is dependent on port overrides being enabled. You can configure Service Accounts to auto-connect in the Admin UI in Settings > Port Overrides.