search

Creating Service Accounts using the VGS CLI

hashtag
CLI Authentication with Service Accounts

The key difference in authentication with a service account is that you don't need to execute vgs login open the browser and input your credentials.

Instead, the authentication is happening automatically through the environment variables VGS_CLIENT_ID and VGS_CLIENT_SECRET which can be declared in the .env file:

Copy

VGS_CLIENT_ID=<SERVICE_ACCOUNT_CLIENT_ID>
VGS_CLIENT_SECRET=<SERVICE_ACCOUNT_CLIENT_SECRET>

In case of running in Docker, please check Authentication in Docker.

hashtag
Creating Service Accounts

To create a service account for your organization, you need to do the following:

  • Generate the service account configuration from the vgs-cli template and store it to the service_account.yaml file by executing:

Copy

vgs generate service-account -t vgs-cli > service_account.yaml

Copy

apiVersion: 1.0.0
kind: ServiceAccount
data:
  # Maximum amount of time before an access token expires, in seconds. (Defaults to
  # 5 minutes.)
  accessTokenLifespan: 300
  
  # List of vaults which service account should have access to.
  vaults:
    - tntcs7thayd
  
  # Non-unique name of the Service Account.
  name: vgs-cli
  
  # Scopes allow a Service Account to perform specific CLI commands.
  scopes:
    - name: access-logs:read
    - name: organizations:read
    - name: routes:write
    - name: vaults:write
    
    # An access token will not contain optional scopes unless the user requests them
    # explicitly.
    - name: financial-instruments:write
      optional: true
    - name: transfers:write
      optional: true
    - name: orders:write
      optional: true

  • If needed, change name and add/remove scopes according to your needs (check Organization Resourcesarrow-up-right section) by editing service_account.yaml file.

  • Restrict service account access to specific vault(s) by adding their identifiers to vaults. If no vault(s) specified, service account won't have access to any vaults in the organization.

  • Apply the service account configuration stored in the service_account.yaml with your organization ID and execute:

Copy

As a result of the above-mentioned steps, you will have an output with two additional YAML fields:

Copy

Now, with clientId and clientSecret you can setup Authentication and test the VGS CLI.

If you do not store the clientSecret now, you will not be able to retrieve it again. Also, make sure to never store credentials in the version control system.

hashtag
Name

The service account name can be a maximum of 20 characters and it's used for the generation of the clientId by using the following pattern:

clientId = clientId = 9 characters of ORGANIZATION_ID-name-5 random alphanumeric characters

hashtag
Deleting Service Accounts

To delete a service account, execute the command:

PreviousManaging Service Accounts in the DashboardNextEnterprise Identity Providers

Last updated