Creating Service Accounts using the VGS CLI
CLI Authentication with Service Accounts
The key difference in authentication with a service account is that you don't need to execute vgs login open the browser and input your credentials.
Instead, the authentication is happening automatically through the environment variables VGS_CLIENT_ID and VGS_CLIENT_SECRET which can be declared in the .env file:
Copy
VGS_CLIENT_ID=<SERVICE_ACCOUNT_CLIENT_ID>
VGS_CLIENT_SECRET=<SERVICE_ACCOUNT_CLIENT_SECRET>In case of running in Docker, please check Authentication in Docker.
Creating Service Accounts
To create a service account for your organization, you need to do the following:
Generate the service account configuration from the vgs-cli template and store it to the service_account.yaml file by executing:
Copy
vgs generate service-account -t vgs-cli > service_account.yamlCopy
apiVersion: 1.0.0
kind: ServiceAccount
data:
# Maximum amount of time before an access token expires, in seconds. (Defaults to
# 5 minutes.)
accessTokenLifespan: 300
# List of vaults which service account should have access to.
vaults:
- tntcs7thayd
# Non-unique name of the Service Account.
name: vgs-cli
# Scopes allow a Service Account to perform specific CLI commands.
scopes:
- name: access-logs:read
- name: organizations:read
- name: routes:write
- name: vaults:write
# An access token will not contain optional scopes unless the user requests them
# explicitly.
- name: financial-instruments:write
optional: true
- name: transfers:write
optional: true
- name: orders:write
optional: trueIf needed, change name and add/remove scopes according to your needs (check Organization Resources section) by editing service_account.yaml file.
Restrict service account access to specific vault(s) by adding their identifiers to vaults. If no vault(s) specified, service account won't have access to any vaults in the organization.
Apply the service account configuration stored in the service_account.yaml with your organization ID and execute:
Copy
vgs apply service-account -O <ORGANIZATION_ID> -f service_account.yamlAs a result of the above-mentioned steps, you will have an output with two additional YAML fields:
Copy
clientId: ACxxxxxxx-vgs-cli-7Pvf5
clientSecret: 5f6cf436-6666-5555-4444-3975be84311eNow, with clientId and clientSecret you can setup Authentication and test the VGS CLI.
If you do not store the clientSecret now, you will not be able to retrieve it again. Also, make sure to never store credentials in the version control system.
Name
The service account name can be a maximum of 20 characters and it's used for the generation of the clientId by using the following pattern:
clientId =
clientId = 9 characters of ORGANIZATION_ID-name-5 random alphanumeric characters
Deleting Service Accounts
To delete a service account, execute the command:
vgs delete service-account -O <ORGANIZATION_ID> <SERVICE_ACCOUNT_CLIENT_ID>Last updated