system:serviceaccount:<project>:<name>- Documentation
- Red Hat OpenShift Service on AWS
- Authentication and authorization
- Understanding and creating service accounts history bug_report picture_as_pdf
Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
- About
- What's new
- Introduction to ROSA
- Architecture
- Tutorials
- Tutorials overview
- ROSA with HCP activation and account linking
- ROSA with HCP private offer acceptance and sharing
- Verifying Permissions for a ROSA STS Deployment
- Deploying ROSA with a Custom DNS Resolver
- Using AWS WAF and Amazon CloudFront to protect ROSA workloads
- Using AWS WAF and AWS ALBs to protect ROSA workloads
- Deploying OpenShift API for Data Protection on a ROSA cluster
- AWS Load Balancer Operator on ROSA
- Configuring Microsoft Entra ID (formerly Azure Active Directory) as an identity provider
- Using AWS Secrets Manager CSI on ROSA with STS
- Using AWS Controllers for Kubernetes on ROSA
- Deploying the External DNS Operator on ROSA
- Dynamically issuing certificates using the cert-manager Operator on ROSA
- Assigning consistent egress IP for external traffic
- Updating component routes with custom domains and TLS certificates
- Getting started with ROSA
- Deploying an application
- Getting started
- Prepare your environment
- Install ROSA with HCP clusters
- Creating ROSA with HCP clusters using the default options
- Creating a ROSA cluster using Terraform
- Creating ROSA with HCP clusters using a custom AWS KMS encryption key
- Creating a private cluster on ROSA with HCP
- Creating ROSA with HCP clusters with external authentication
- Creating ROSA with HCP clusters without a CNI plugin
- Deleting a ROSA with HCP cluster
- Install ROSA Classic clusters
- Creating a ROSA cluster with STS using the default options
- Creating a ROSA cluster with STS using customizations
- Creating a ROSA (classic architecture) cluster using Terraform
- Interactive cluster creation mode reference
- Creating an AWS PrivateLink cluster on ROSA
- Configuring a shared virtual private cloud for ROSA clusters
- Accessing a ROSA cluster
- Configuring identity providers using Red Hat OpenShift Cluster Manager
- Revoking access to a ROSA cluster
- Deleting a ROSA cluster
- Deploying ROSA without AWS STS
- AWS prerequisites for ROSA
- Understanding the ROSA deployment workflow
- Required AWS service quotas
- Configuring your AWS account
- Installing the ROSA CLI
- Creating a ROSA cluster without AWS STS
- Configuring a private cluster
- Deleting access to a ROSA cluster
- Deleting a ROSA cluster
- Command quick reference for creating clusters and users
- Support
- Support overview
- Managing your cluster resources
- Approved Access
- Getting support
- Remote health monitoring with connected clusters
- Gathering data about your cluster
- Summarizing cluster specifications
- Troubleshooting
- Troubleshooting ROSA installations
- Troubleshooting networking
- Verifying node health
- Troubleshooting Operator issues
- Investigating pod issues
- Troubleshooting storage issues
- Investigating monitoring issues
- Diagnosing OpenShift CLI (oc) issues
- Troubleshooting expired offline access tokens
- Troubleshooting IAM roles
- Troubleshooting cluster deployments
- Red Hat OpenShift Service on AWS managed resources
- Web console
- CLI tools
- Red Hat OpenShift Cluster Manager
- Cluster administration
- Security and compliance
- Authentication and authorization
- Authentication and authorization overview
- Understanding authentication
- Managing user-owned OAuth access tokens
- Configuring identity providers
- Using RBAC to define and apply permissions
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Assuming an AWS IAM role for a service account
- Scoping tokens
- Using bound service account tokens
- Managing security context constraints
- Understanding and managing pod security admission
- Syncing LDAP groups
- Upgrading
- CI/CD
- Images
- Overview of images
- Overview of the Cluster Samples Operator
- Using the Cluster Samples Operator with an alternate registry
- Creating images
- Managing images
- Managing image streams
- Using image streams with Kubernetes resources
- Triggering updates on image stream changes
- Image configuration resources (Classic)
- Image configuration resources (HCP)
- Using templates
- Using Ruby on Rails
- Using images
- Add-on services
- Storage
- Registry
- Operators
- Operators overview
- Understanding Operators
- User tasks
- Administrator tasks
- Developing Operators
- About the Operator SDK
- Installing the Operator SDK CLI
- Go-based Operators
- Ansible-based Operators
- Helm-based Operators
- Defining cluster service versions (CSVs)
- Working with bundle images
- Complying with pod security admission
- Validating Operators using the scorecard
- Validating Operator bundles
- High-availability or single-node cluster detection and support
- Configuring built-in monitoring with Prometheus
- Configuring leader election
- Object pruning utility
- Migrating package manifest projects to bundle format
- Operator SDK CLI reference
- Migrating to Operator SDK v0.1.0
- Networking
- About networking
- Networking Operators
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Network verification
- Configuring a cluster-wide proxy during installation
- CIDR range definitions
- Network security
- OVN-Kubernetes network plugin
- OpenShift SDN network plugin
- Configuring Routes
- Building applications
- Building applications overview
- Projects
- Creating applications
- Viewing application composition using the Topology view
- Working with Helm charts
- Deployments
- Quotas
- Using config maps with applications
- Monitoring project and application metrics using the Developer perspective
- Monitoring application health
- Editing applications
- Working with quotas
- Pruning objects to reclaim resources
- Idling applications
- Deleting applications
- Using the Red Hat Marketplace
- Backing up and restoring applications
- Nodes
- Overview of nodes
- Working with pods
- Automatically scaling pods with the Custom Metrics Autoscaler Operator
- Release notes
- Custom Metrics Autoscaler Operator overview
- Installing the custom metrics autoscaler
- Understanding the custom metrics autoscaler triggers
- Understanding the custom metrics autoscaler trigger authentications
- Pausing the custom metrics autoscaler
- Gathering audit logs
- Gathering debugging data
- Viewing Operator metrics
- Understanding how to add custom metrics autoscalers
- Removing the Custom Metrics Autoscaler Operator
- Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Placing pods on specific nodes using node selectors
- Controlling pod placement using pod topology spread constraints
- Using jobs and daemon sets
- Working with nodes
- Working with containers
- Understanding containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Working with clusters
- Observability
- Observability overview
- Monitoring
- Monitoring overview
- Accessing monitoring for user-defined projects
- Configuring the monitoring stack
- Disabling monitoring for user-defined projects
- Enabling alert routing for user-defined projects
- Managing metrics
- Managing alerts
- Reviewing monitoring dashboards
- Accessing third-party monitoring APIs
- Troubleshooting monitoring issues
- Config map reference for the Cluster Monitoring Operator
- Logging
- Release notes
- Support
- Troubleshooting logging
- About Logging
- Installing Logging
- Updating Logging
- Visualizing logs
- Configuring your Logging deployment
- Log collection and forwarding
- Log storage
- Logging alerts
- Performance and reliability tuning
- Scheduling resources
- Uninstalling Logging
- Exported fields
- API reference
- Glossary
- Service Mesh
- Service Mesh 2.x
- About OpenShift Service Mesh
- Service Mesh 2.x release notes
- Service Mesh architecture
- Service Mesh deployment models
- Service Mesh and Istio differences
- Preparing to install Service Mesh
- Installing the Operators
- Creating the ServiceMeshControlPlane
- Adding workloads to a service mesh
- Enabling sidecar injection
- Upgrading Service Mesh
- Managing users and profiles
- Security
- Traffic management
- Metrics, logs, and traces
- Performance and scalability
- Deploying to production
- Federation
- Extensions
- 3scale WebAssembly for 2.1
- 3scale Istio adapter for 2.0
- Troubleshooting Service Mesh
- Control plane configuration reference
- Kiali configuration reference
- Jaeger configuration reference
- Uninstalling Service Mesh
- Service Mesh 2.x
- Serverless
- Virtualization
- About
- Getting started
- Installing
- Post-installation configuration
- Updating
- Virtual machines
- Creating VMs from Red Hat images
- Creating VMs from custom images
- Connecting to VM consoles
- Configuring SSH access to VMs
- Editing virtual machines
- Editing boot order
- Deleting virtual machines
- Exporting virtual machines
- Managing virtual machine instances
- Controlling virtual machine states
- Using virtual Trusted Platform Module devices
- Managing virtual machines with OpenShift Pipelines
- Advanced virtual machine management
- Working with resource quotas for virtual machines
- Specifying nodes for virtual machines
- Configuring certificate rotation
- Configuring the default CPU model
- UEFI mode for virtual machines
- Configuring PXE booting for virtual machines
- Scheduling virtual machines
- About high availability for virtual machines
- Control plane tuning
- VM disks
- Networking
- Networking configuration overview
- Connecting a VM to the default pod network
- Exposing a VM by using a service
- Connecting a VM to an OVN-Kubernetes secondary network
- Connecting a VM to a service mesh
- Configuring a dedicated network for live migration
- Configuring and viewing IP addresses
- Managing MAC address pools for network interfaces
- Storage
- Storage configuration overview
- Configuring storage profiles
- Managing automatic boot source updates
- Reserving PVC space for file system overhead
- Configuring local storage by using HPP
- Enabling user permissions to clone data volumes across namespaces
- Configuring CDI to override CPU and memory quotas
- Preparing CDI scratch space
- Using preallocation for data volumes
- Managing data volume annotations
- Live migration
- Nodes
- Monitoring
- Support
- Backup and restore
×
Understanding and creating service accounts
Service accounts overview
A service account is an Red Hat OpenShift Service on AWS account that allows a component to directly access the API. Service accounts are API objects that exist within each project. Service accounts provide a flexible way to control API access without sharing a regular user’s credentials.
When you use the Red Hat OpenShift Service on AWS CLI or web console, your API token authenticates you to the API. You can associate a component with a service account so that they can access the API without using a regular user’s credentials.
Each service account’s user name is derived from its project and name:
Every service account is also a member of two groups:
| Group | Description |
|---|---|
system:serviceaccounts |
Includes all service accounts in the system. |
system:serviceaccounts:<project> |
Includes all service accounts in the specified project. |
Each service account automatically contains two secrets:
-
An API token
-
Credentials for the OpenShift Container Registry
The generated API token and registry credentials do not expire, but you can revoke them by deleting the secret. When you delete the secret, a new one is automatically generated to take its place.
Creating service accounts
You can create a service account in a project and grant it permissions by binding it to a role.
Procedure
-
Optional: To view the service accounts in the current project:
$ oc get saExample outputNAME SECRETS AGE builder 2 2d default 2 2d deployer 2 2d -
To create a new service account in the current project:
$ oc create sa <service_account_name> (1)1 To create a service account in a different project, specify -n <project_name>.Example outputserviceaccount "robot" createdYou can alternatively apply the following YAML to create the service account:
apiVersion: v1 kind: ServiceAccount metadata: name: <service_account_name> namespace: <current_project> -
Optional: View the secrets for the service account:
$ oc describe sa robotExample outputName: robot Namespace: project1 Labels: <none> Annotations: <none> Image pull secrets: robot-dockercfg-qzbhb Mountable secrets: robot-dockercfg-qzbhb Tokens: robot-token-f4khf Events: <none>
Examples of granting roles to service accounts
You can grant roles to service accounts in the same way that you grant roles to a regular user account.
-
You can modify the service accounts for the current project. For example, to add the
viewrole to therobotservice account in thetop-secretproject:$ oc policy add-role-to-user view system:serviceaccount:top-secret:robotYou can alternatively apply the following YAML to add the role:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: view namespace: top-secret roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - kind: ServiceAccount name: robot namespace: top-secret -
You can also grant access to a specific service account in a project. For example, from the project to which the service account belongs, use the
-zflag and specify the<service_account_name>$ oc policy add-role-to-user <role_name> -z <service_account_name>If you want to grant access to a specific service account in a project, use the
-zflag. Using this flag helps prevent typos and ensures that access is granted to only the specified service account.You can alternatively apply the following YAML to add the role:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: <rolebinding_name> namespace: <current_project_name> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: <role_name> subjects: - kind: ServiceAccount name: <service_account_name> namespace: <current_project_name> -
To modify a different namespace, you can use the
-noption to indicate the project namespace it applies to, as shown in the following examples.-
For example, to allow all service accounts in all projects to view resources in the
my-projectproject:$ oc policy add-role-to-group view system:serviceaccounts -n my-projectYou can alternatively apply the following YAML to add the role:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: view namespace: my-project roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts -
To allow all service accounts in the
managersproject to edit resources in themy-projectproject:$ oc policy add-role-to-group edit system:serviceaccounts:managers -n my-projectYou can alternatively apply the following YAML to add the role:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: edit namespace: my-project roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: edit subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts:managers
-