Manage Service Accounts

This page explains how to manage service accounts in kdb Insights Enterprise, including how to create service accounts, assign roles and groups, obtain an access token, and more.

Service accounts are used to enable programmatic access to Insights services. The following table displays the key variables used in the process of managing service accounts.

Variable

Description

$KC_CLIENT_ID

Client ID for the service account

$KC_CLIENT_SECRET

Client secret for the service account

Creating service accounts

Follow the instructions below to create a service account using either the Keycloak Admin Console UI or the Command Line Interface (CLI).

Keycloak Admin Console UI

CLI

To create a new service account in the Keycloak administration console:

  1. Log into the administration console.

  2. Choose the target realm ($REALM_NAME) from the top-left realm drop-down.

  3. Click Clients in the menu.

  4. Click Create client.

  5. Leave the client type as OpenID Connect.

  6. Enter a Client ID ($KC_CLIENT_ID).

  7. Click Next.

  8. Toggle Client authentication to ON.

  9. Select Service account roles.

  10. Click Save.

Use kxi user create-client to create a new service account.

bash

Copy 
KC_CLIENT_ID="test-publisher"
kxi user create-client $KC_CLIENT_ID

Assigning roles

Follow the instructions below to assign roles to a service account using either the Keycloak Admin Console UI or the Command Line Interface (CLI).

Keycloak Admin Console UI

CLI

Assign roles to a service account through the Service accounts roles tab for that client:

  1. Log into the administration console.

  2. Click Clients in the menu.

  3. Click the client that you want to add the roles to.

  4. Click the Service accounts roles tab.

  5. Click Assign role.

  6. Select the role you want to assign from the dialog.

  7. Click Assign

Use kxi user assign-roles to assign roles to a service account.

bash

Copy 
ROLES=insights.role.viewer,insights.client.create,insights.client.delete
kxi user assign-roles service-account-$KC_CLIENT_ID --roles $ROLES

Replace the following:

  • $KC_CLIENT_ID: Client that you want to add the roles to

  • $ROLES: Comma-separated list of roles to assign

Note

View available roles with kxi user get-available-roles

Note

Each client has an associated service account user named service-account-$KC_CLIENT_ID. This is the one that you need to assign the role to.

Assigning groups

Refer to Assigning groups to a service account for details on how to assign a group to a service account.

Retrieving a secret

Follow the instructions below to retrieve a secret for a service account using either the Keycloak Admin Console UI or the Command Line Interface (CLI).

Keycloak Admin Console UI

CLI

To retrieve the client secret for a service account in the administration console:

  1. Click Clients in the menu.

  2. Click the client that you want to retrieve the secret for.

  3. Click the Credentials tab.

  4. Click Copy to clipboard to copy the client secret ($KC_CLIENT_SECRET).

Use kxi user get-client-secret to retrieve the client secret.

bash

Copy 
KC_CLIENT_SECRET=$(kxi user get-client-secret $KC_CLIENT_ID)

Obtaining an access token

To obtain an access token using the CLI, you must first configure and then authenticate your CLI. For more information on authentication, refer to the Authenticating as a service account.

  1. Configure your CLI.

    bash

    Copy 
    kxi configure

  2. Authenticate using your service account.

    bash

    Copy 
    kxi auth login --serviceaccount

  3. Obtain your access token.

    bash

    Copy 
    kxi auth print-token

Initial service account

You can create a service account when installing kdb Insights Enterprise. Set service account details in the install configuration file.

YAML

Copy 
keycloak:
  initClient:
    enabled: true                  # Enable the service account
    clientId: "test-publisher"     # Name for the service account
    clientSecret: "sp3cials3cr3t"  # Secret for the service account

Read the configuration documentation for information.

Default clients

kdb Insights Enterprise comes with internal clients as part of the application. These are for system use and should not be updated by the user.

client

account

account-console

admin-cli

broker

gui

kxi-operator

realm-management

security-admin-console