Chapter 3. Using service accounts with services
The following information briefly describes how to use service accounts with services and the CLIENT_ID and CLIENT_SECRET variables. It is provided as a reference guideline only.
- Create a new Service account: Red Hat Hybrid Cloud Console Service accounts
Paste the following information on a terminal, replacing the CLIENT_ID and CLIENT_SECRET variables:
export HOST='https://sso.redhat.com' CLIENT_ID='<client_id>' CLIENT_SECRET='<client_secret>' SCOPES='openid api.iam.service_accounts'
Get a token for the service account with
curl "${HOST}/auth/realms/redhat-external/protocol/openid-connect/token" \ --data-urlencode "grant_type=client_credentials" \ --data-urlencode "client_id=${CLIENT_ID}" \ --data-urlencode "client_secret=${CLIENT_SECRET}" \ --data-urlencode "scope=${SCOPES}"
If you have jq installed (a command-line JSON processor), you can save the token to an env var:
export ACCESS_TOKEN=$( \ curl "${HOST}/auth/realms/redhat-external/protocol/openid-connect/token" \ --data-urlencode "grant_type=client_credentials" \ --data-urlencode "client_id=${CLIENT_ID}" \ --data-urlencode "client_secret=${CLIENT_SECRET}" \ --data-urlencode "scope=${SCOPES}" \ | jq -r '.access_token')
Send a request to an application that supports service accounts:
curl --header "Authorization:Bearer ${ACCESS_TOKEN}" --location "https://console.redhat.com/api/rbac/v1/access/?application=inventory"
- The response should be empty, or unprivileged depending on the app. Try adding the service account to an RBAC group, and adding roles to that group. User Access Groups
- After roles are added to the service account group, repeat step 3 to grab a fresh token and attempt the request again. You should now have more privileges and get proper responses from applications.