Container: Developing an Application - Service Accounts

Overview

OpenShift service accounts are useful because their:

  • Their login token does not expire unless being explicitly revoked
  • They can be given permissions scoped across a single project or the entire cluster.

Creating Service Accounts

To create a service account in your current namespace, do the following:

oc create serviceaccount {your service account name}

Authenticating Using Service Accounts

Once the service account has been created, you will see two secrets associated with the account. Both will contain the same token. Describe the secret to access that token. That token can be used in any login command or script you create the same way your user token can.

oc describe secret {your service account's secret name}

Adding Roles to Service Accounts

Newly created service accounts have few capabilities. They will need to be added, either via the command line or the UI. Project admins can add permissions to their local project in the UI. To do so, go to: {your project name} > Resources > Membership > Service Accounts. Choose 'Add Another Role' to add permissions to your newly created service account.

Only OpenShift admins have permissions to add roles to service accounts via the command-line. To add permissions to a service account, you must use 'oc adm' command. Here are some command-line examples:

To add permissions within a project, use the following syntax:

oc adm policy add-role-to-user registry-viewer system:serviceaccount:{project name}:{my service account name}

To add permissions throughout the cluster, use the following syntax:

oc adm policy add-cluster-role-to-user registry-viewer system:serviceaccount:{project name}:{my service account name}

More information about roles and their uses can be found here.

Last Updated: 
Wednesday, September 12, 2018