Managing service accounts

Manage access and permissions with service accounts

Service accounts overview

A service account is an identity that provides automated processes, applications, and services with the necessary permissions to interact securely with your infrastructure. Service accounts can manage access and permissions programmatically, ensuring secure and efficient operations within your environment.

Coderfesh supports creating service accounts and assigning them to teams with RBAC (Role-Based Access Control) compliance for CI pipelines. See Create service accounts.
Each service account can hold multiple API keys, making it easy to manage access for different purposes. See Generate API keys for service accounts.

Create service accounts

Create service accounts in Codefresh to manage processes, integrations, at the account level.
Assign teams to service accounts to ensure RBAC access for those teams and their users (see Access control for pipelines).
Note that service account creation is not supported via CLI and Terraform.

Before you begin
  • Make sure you have created one or more teams
How to
  1. In the Codefresh UI, on the toolbar, click the Settings icon, and then from the sidebar, select Service Accounts.
  2. Click Add Service Account.
  3. Do the following:
    1. Name: Enter a name for the service account according to the requirements.
    2. Team: Assign this service account to one or more of the teams available.
    3. Assign Admin role to service account: Optional. Automatically assign admin permissions to this service account.

Add service account

Add service account
  1. Continue with Generate API keys for service accounts.

Generate API keys for service accounts

Generate API keys for a service account after creating it. The procedure is similar to generating API keys for individual users. There is no limit to the number of API keys you can generate for a single service account.

After generating API keys, you can modify the scopes defined for the API key, or delete it.

  1. In the Codefresh UI, on the toolbar, click the Settings icon, and then from the sidebar, select Service Accounts.
  2. Select the service account for which to generate API keys.
  3. Click Generate API Key.
  4. In the Generate Codefresh API key form, do the following:
    1. Enter the Key Name.
    2. Click Generate. Codefresh generates the key and pastes it in the API Key field.
    3. If required, copy the key to the clipboard and save it in a safe location.

API keys for service account

API keys for service account
  1. Select the required scopes.
  2. Click OK.

View service accounts

The Service Accounts page shows the list of service accounts defined for the account.

Service account list

Service account list
Service Account Setting Description
Name The name of the service account.
The Admin label to the right of the name indicates that the service account has been assigned an admin role.
API Keys The number of API keys assigned to the service account.
Selecting a service account displays the API keys generated for that account. Modify selected scopes by clicking Edit, or delete the API key.
Teams The names of the teams the service account is assigned to.
Status Indicates if the service account is currently active (Enabled) or inactive (Disabled). You may want to disable a service account to invalidate its API keys without having to remove the service account, and simply reenable when needed.
Actions The options available to manage the service account through its context menu:
  • Edit: Modify the settings of the service account, including adding/removing teams, enabling/disabling admin role.
  • Delete: Delete the service account, including all the API keys defined for the account. This means that actions through the Codefresh API or CLI that require these keys will fail.

Authenticating to Amazon ECR with service account

Authenticate to Amazon ECR registries with credentials from the service account instead of the Access Key ID and Secret Access Key.
This allows pipelines to seamlessly authenticate to Amazon ECR via service account credentials, enhancing security and simplifying access management.

There are two requirements:

  1. Set the option to authenticate via service accounts at the account level for pipelines. See Advanced options for pipelines.
  2. Configure Amazon ECR integration to use service account credentials. See Amazon ECR Container Registry pipeline integration.

Access control for pipelines