- Manage Accounts
Service Accounts for StreamNative Cloud
Each service account represents an application programmatically accessing StreamNative Cloud.
You can manage application access to StreamNative Cloud by using service accounts. Permissions can be specified using ACLs and role bindings tied to a specific service account. ACLs and role bindings for service accounts are set by an administrator or another user with a similar role within the organization.
Service accounts are an organization-level resource.
Service accounts span the entire organization and can own authentication credentials for many different resources, including development and production clusters. A typical use case has one team administering the StreamNative Cloud streaming data platform and issuing service accounts (with ACLs applied) to various application teams that use the streaming data platform. While service accounts cannot sign in to StreamNative Cloud Console, they can own any type of API keysthat can be used for CLI or API access. Keep in mind the following:
Although users can leave or change roles within a company, applications continue to operate independently of the users, service accounts are especially useful in organizations requiring special identifiers for applications or services not be tied to a specific user.
You can create service accounts using any of the following methods:
- StreamNative Cloud Console.
- StreamNative CLI command
snctl create serviceaccount.
Warning
When you delete a service account, all associated API keys will also be deleted. Any client applications using a deleted API key will lose access, which may cause an outage for your streaming application. Always confirm that none of the API keys owned by an account are in active use before deleting a service account.
Create a service account
Note
Currently, you can't edit a service account. If you need a service account to have Super Admin access, make sure to enable it when creating the service account. By default, service accounts do not have Super Admin enabled.
To create a service account, follow these steps.
On the left navigation pane, click Service Accounts.
Click Create Service Account.
(Optional) Select Super Admin to grant the service account with Super admin access to a namespace or tenant.
Enter a name for the service account, and then click Confirm.
Check service account details
After you have created a service account, you can check the details of the account.
- On the left navigation pane, click Service Accounts. The Service Accounts page displays all of the created service accounts.
The table below describes the details that you can view about the service account.
| Item | Description |
|---|---|
| Name | The name of the service account. |
| Pulsar Role Name | This name displays in the Admin Role field when creating a tenant. |
| Key File | The key file for the service account. |
| Token | The token for the service account. |
| Organization | The organization that the service account was created in. |
| Create Time | The time when the service account was created. |
| Status | The status of the service account. |
| Admin | Whether the service account has Super Admin enabled or not. |
| ... | Click the ellipsis to display the delete icon. |
Get the service account key file or token
Both the key file and the token are used for authentication. Tokens are only valid for seven days. When a token expires, you need to use the key file to generate a new token for authentication. Or, you can directly use the key file for authentication.
Get a key file
To get an OAuth2 credential file of a service account through the StreamNative Console, follow these steps.
On the left navigation pane, click Service Accounts.
In the row of the service account you want to use, in the Key File column, click the Download icon to download the OAuth2 credential file to your local directory.
The OAuth2 credential file should be something like this:
{ "type": "SN_SERVICE_ACCOUNT", "client_id": "CLIENT_ID", "client_secret": "CLIENT_SECRET", "client_email": "[email protected]", "issuer_url": "https://auth.streamnative.cloud" }
Get a token
Note
- Before getting the token of a service account, verify that the service account is authorized as a superuser or an admin of the tenants and namespaces.
- A token has a system-defined Time-To-Live (TTL) of 7 days. Before a token expires, ensure that you generate a new token for your service account.
To get a token using the StreamNative Console, follow these steps.
On the left navigation pane, click Service Accounts.
In the row of the service account you want to use, in the Token column, click Generate new token, then click the Copy icon to copy the token to your clipboard.
Delete a service account
To delete a service account, follow these steps.
On the left navigation pane, click Service Accounts.
Click the ellipsis at the end of the row of the service account you want to delete, and then select Delete.
On the dialog box asking, Are you sure you want to delete this service account?, click Confirm.