Service Accounts
What are service accounts?
Service accounts are used for Machine to Machine (M2M) authentication and use OIDC federation to log in to Phobos. For instance, they allow a CI/CD pipeline to authenticate and interface with the API.
Service accounts can be scoped to a specific organization or project. Organization-scoped service accounts are accessible to all of the organization's projects. Project-scoped service accounts are only accessible within the project. Service accounts can be added as members with defined roles so that resources (e.g., agents) within the organization or project can use the service accounts.
Check the FAQ to see if there's already an answer.
Creating a service account��
To create a service account, navigate to the target organization or target project and click on Service Accounts from the sidebar. Then click on the Create Service Account button.
Fill in the name, an optional description, Identity Provider information with bound claims, and click Create Service Account.
After creating a service account, it must be added as a member to an organization or project. Adding a service account as a member will allow the organization or project to use the service account for authentication.
Check out Memberships for information on adding a service account as a member. Additionally, see the FAQs for suggestions on roles.
Updating a service account
To update a service account, navigate to the Service Account page, select the service account you want to update, and click on the Edit button.
You can update the description and Identity Provider information with bound claims. Click Update Service Account to save the changes.
Deleting a service account
To delete a service account, navigate to the Service Account page, select the service account you want to delete, and click on the upside-down caret next to the Edit button. Then click on the Delete Service Account button.
Deleting a service account will break any integrations that rely on it, such as CI/CD pipelines.
Frequently Asked Questions (FAQ)
Who can create a service account?
Any member of the target organization or project with a role of Owner, Release Manager, or Developer can create a service account. Viewers cannot create a service account.
How do I use a service account with the Phobos CLI?
See the CLI documentation for more information.
Why is my service account not working?
Please make sure that the service account is a member of the organization or the project and has the necessary role assigned to it. Also, ensure that the service account has the correct Identity Provider information with bound claims.
Should I just give my service account an Owner role?
No, it is not recommended to give a service account an Owner role. Generally, a Developer role is sufficient for most use cases. An Owner role will allow the service account to manage the organization, its members, and arbitrarily perform any action; this goes against the principle of least privilege.
Can a service account from one organization access resources in another organization?
No, a service account can only access resources within the organization it is a member of.
I don't want to give my organization-scoped service account access to all its projects. What should I do?
Organization-scoped service accounts are not automatically designated as project members. You can manually add an organization-scoped service account to a project as a member and adjust its access by assigning a role to it (e.g., Viewer).
Will the CLI periodically renew the token for the service account?
Yes, the CLI will periodically renew the token for the service account. The token should be renewed a short period of time before it expires.
Why am I seeing a "subject is not authorized to perform the requested operation" error?
Generally, this error occurs when the service account is able to view the resource but not modify it. Please reach out to the organization or project owner to get the necessary role assigned to it.
Why am I seeing a "Resource not found" error?
This error occurs when the service account is not a member of the organization or project. Please make sure that the service account is a member of the organization or project and has the necessary role assigned to it. (For security reasons, Phobos returns "Resource not found" instead of a more specific error to prevent information disclosure about the existence of resources to unauthorized users.)