Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Creating and Managing Service Accounts
Create and manage service accounts
Abstract
Preface
A service account grants a system service access to specific resources. While users can create service accounts, only an Organization Administrator or a user with the User Access Admin role can assign service accounts to user groups. The service account will have the permissions that are granted to the user group.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Service accounts
An account can be either a user account or a service account. A user account authenticates human users in your organization. A service account authenticates applications or services without human intervention. You create service accounts on Red Hat Hybrid Cloud Console for the following reasons:
- An application or service needs access to specific resources.
- The application or service needs to access resources without the need for human intervention.
- The application or service needs to access resources from multiple locations.
You must use service accounts to connect to cloud service APIs on Red Hat Hybrid Cloud Console. Red Hat support for basic authentication ends on December 31, 2024 and will only permit token-based authentication after that date. Service accounts support token-based authentication.
For more information about service account implementation, see Transition of Red Hat Hybrid Cloud Console APIs from basic authentication to token-based authentication via service accounts.
APIs require an access grant token from Red Hat Single Sign-On. The token expires after 15 minutes (900 seconds). Repeat the process of obtaining an access token every 10 minutes (600 seconds) so that the token is rotated prior to expiration. RFC 6749, Section 4.1.4
Chapter 2. Creating and managing a service account
Use service accounts to securely and automatically connect and authenticate services or applications without requiring an end user’s credentials or direct interaction.
When you create a Red Hat service account, you generate a client ID and a secret. The service account uses the ID and secret to access services on the Red Hat Hybrid Cloud Console.
- Client ID The client ID identifies the service account to the resource, much like a username identifies a user.
- Secret The secret provides a similar function as does a password. The secret appears once when you create the service account. Copy and save the secret and protect it as you would any password.
After you create a service account, you add it to the applicable User Access group. (User Access is the Red Hat implementation of role-based access control.) The roles assigned to a User Access group determine the level of access the service account has to applications and services on the Red Hat Hybrid Cloud Console. You can also create a group for your service account.
The following tasks show you how to create and manage service accounts and groups:
You can perform the following tasks after you generate a client ID and a secret for a service account:
You must be the owner of a service account if you want to reset it or delete it. The Organization Administrator can reset or delete any service account.
Additional resources
2.1. Creating a service account
You can create a service account and generate the client ID and secret to use with that account.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
- From the Red Hat Hybrid Cloud Console, Click the settings icon (⚙) and click Service Accounts.
- Click Create service account to set up the account.
- Enter a Service account name and a Short description and click Create.
Copy the generated Client ID and Client secret values to a secure location. You’ll specify these credentials when configuring a connection to a service.
ImportantThe Client secret is displayed only once, so ensure that you’ve successfully and securely saved the copied credentials before closing the credentials window.
- After you save the Client ID and secret to a secure location, select the confirmation check box in the credentials window and close the window. The Client secret is not displayed again.
- The service account and its Client ID appear on the Service Accounts page.
2.2. Adding service accounts to a User Access group
The Organization Administrator adds a service account to a User Access group that has the permissions that allow a service account to access services and applications on the Red Hat Hybrid Cloud Console. Any user can create a service account but only the Organization Administrator or a User Access administrator can add service accounts to groups.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console as the Organization Administrator or as a user with User Access administrator permissions.
-
One or more service accounts are associated with your Red Hat organization account.
Section 2.1, “Creating a service account” -
A User Access group already exists that you can add the service account to.
Section 2.3, “Creating a User Access group for service accounts”
Procedure
- From the Red Hat Hybrid Cloud Console, click the settings icon (⚙) and click User Access.
- To add the service account to a preexisting group, click the Groups tab and click the name of the group that you want to add the service account to.
- When the group name window appears, click the Service accounts tab.
- Click Add service account. A list appears of all service accounts associated with your Red Hat organization account.
- Click the service accounts you want to add to the User Access group and click Add to group.
- The service accounts appear on the Service accounts tab.
2.3. Creating a User Access group for service accounts
The Organization Administrator can create a new User Access group with roles or permissions that are specific to a service account. This group has the permissions that allow a service account to access services and applications on the Red Hat Hybrid Cloud Console. Any user can create a service account but only the Organization Administrator or a User Access administrator can add create a new group for a service account.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console as the Organization Administrator or as a user with User Access administrator permissions.
- One or more service accounts are associated with your Red Hat organization account. Section 2.1, “Creating a service account”
You have access to the Client Secret information for the service account that you add to the User Access group.
NoteThe Client Secret information is displayed once when you create a new service account. You must copy and save that information. It is not displayed again.
Procedure
In this example, you create a group that allows a service account to view automation analytics on the Red Hat Ansible Automation Platform.
- From the Red Hat Hybrid Cloud Console, click the settings icon (⚙) and click User Access.
- Click the Groups tab and click Create Group.
- Add a Group name and a Group description. The description is optional.
- Click Next to add roles to the group. For this example, find Automation Analytics viewer and click the checkbox next to the role name.
- Click Next to display Add members. Because you are adding a service account and not a member, click Next.
- Add service accounts appears. Choose the service account you want to add and click the checkbox next to the name.
- Click Next and review the details. If no changes are needed, click Submit. The new group is created that contains the service account and the Automation Analytics viewer role and permissions.
Additional resources
- Configure Ansible Automation Platform to authenticate through service account credentials
- Transition of Red Hat Hybrid Cloud Console APIs from basic authentication to token-based authentication via service accounts
- User Access Configuration Guide for Role-based Access Control (RBAC)
- Section 2.4, “Deleting service accounts from a User Access group”
- Section 2.2, “Adding service accounts to a User Access group”
2.4. Deleting service accounts from a User Access group
The Organization Administrator can delete a service account from a User Access group on the Red Hat Hybrid Cloud Console. Any user can create a service account but only the Organization Administrator or a User Access administrator can delete service accounts from groups.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console as the Organization Administrator or as a user with User Access administrator permissions.
- One or more service accounts are associated with your Red Hat organization account. Section 2.1, “Creating a service account”
Procedure
- From the Red Hat Hybrid Cloud Console, click the settings icon (⚙) and click User Access.
- To delete the service account from a group, click the Groups tab and click the name of the group that includes the service account.
- When the group name window appears, click the Service accounts tab. All service accounts in that group appear.
Remove a single service account.
- Click the options icon (⋮) in the Name row and click Remove.
- Acknowledge the Remove service account? message and click Remove service account.
Remove multiple service accounts.
- Click the check box next to each account to remove.
- Click the options icon (⋮) in any Name row of the selected service accounts and click Remove.
- Acknowledge the Remove service account? message and click Remove service account.
- Verify that the selected service account does not appear on the Service accounts tab.
Additional resources
2.5. Resetting a service account secret
You can reset the secret for a service account. When you do so, the client ID does not change. You must be the owner of a service account if you want to reset it or delete it. The Organization Administrator user can reset or delete any service account.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
- From the Red Hat Hybrid Cloud Console, Click the settings icon (⚙) and click Service Accounts.
- On the list of existing service accounts, select the service account you want to reset and click the options icon (⋮).
- Verify that you want to reset this account and click Reset credentials.
Copy the updated Client secret values to a secure location. You’ll specify these credentials when configuring a connection to a service.
ImportantThe generated credentials are displayed only once, so ensure that you’ve successfully and securely saved the copied credentials before closing the credentials window.
- After you save the generated credentials to a secure location, select the confirmation check box in the credentials window and close the window.
2.6. Deleting a service account
You can delete a service account. You must be the owner of a service account if you want to reset it or delete it. The Organization Administrator user can reset or delete any service account.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
- From the Red Hat Hybrid Cloud Console, Click the settings icon (⚙) and click Service Accounts.
- Identify the service account you want to delete and click the options icon (⋮).
- Verify that you want to delete this account and click Delete service account.
Chapter 3. Using service accounts with services
The following information briefly describes how to use service accounts with services and the CLIENT_ID and CLIENT_SECRET variables. It is provided as a reference guideline only.
- Create a new Service account: Red Hat Hybrid Cloud Console Service accounts
Paste the following information on a terminal, replacing the CLIENT_ID and CLIENT_SECRET variables:
export HOST='https://sso.redhat.com' CLIENT_ID='<client_id>' CLIENT_SECRET='<client_secret>' SCOPES='openid api.iam.service_accounts'
export HOST='https://sso.redhat.com' CLIENT_ID='<client_id>' CLIENT_SECRET='<client_secret>' SCOPES='openid api.iam.service_accounts'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Get a token for the service account with
curl "${HOST}/auth/realms/redhat-external/protocol/openid-connect/token" \ --data-urlencode "grant_type=client_credentials" \ --data-urlencode "client_id=${CLIENT_ID}" \ --data-urlencode "client_secret=${CLIENT_SECRET}" \ --data-urlencode "scope=${SCOPES}"curl "${HOST}/auth/realms/redhat-external/protocol/openid-connect/token" \ --data-urlencode "grant_type=client_credentials" \ --data-urlencode "client_id=${CLIENT_ID}" \ --data-urlencode "client_secret=${CLIENT_SECRET}" \ --data-urlencode "scope=${SCOPES}"Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you have jq installed (a command-line JSON processor), you can save the token to an env var:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Send a request to an application that supports service accounts:
curl --header "Authorization:Bearer ${ACCESS_TOKEN}" --location "https://console.redhat.com/api/rbac/v1/access/?application=inventory"curl --header "Authorization:Bearer ${ACCESS_TOKEN}" --location "https://console.redhat.com/api/rbac/v1/access/?application=inventory"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - The response should be empty, or unprivileged depending on the app. Try adding the service account to an RBAC group, and adding roles to that group. User Access Groups
- After roles are added to the service account group, repeat step 3 to grab a fresh token and attempt the request again. You should now have more privileges and get proper responses from applications.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}