Managing service accounts
Service accounts are used to enable programmatic access to Insights services. The following table displays the key variables used in the process of managing service accounts.
Variable | Description |
---|---|
$KC_CLIENT_ID | Client ID for the service account |
$KC_CLIENT_SECRET | Client secret for the service account |
Creating service accounts
To create a new service account in the Keycloak administration console:
- Log into the administration console.
- Choose the target realm (
$REALM_NAME
) from the top-left realm drop-down. - Click Clients in the menu.
- Click Create client.
- Leave the client type as OpenID Connect.
- Enter a Client ID (
$KC_CLIENT_ID
). - Click Next.
- Toggle Client authentication to ON.
- Select Service account roles.
- Click Save.
Use kxi user create-client
to create a new service account.
KC_CLIENT_ID="test-publisher"
kxi user create-client $KC_CLIENT_ID
Assigning roles
Assign roles to a service account through the Service accounts roles tab for that client:
- Log into the administration console.
- Click Clients in the menu.
- Click the client that you want to add the roles to.
- Click the Service accounts roles tab.
- Click Assign role.
- Select the role you want to assign from the dialog.
- Click Assign
Use kxi user assign-roles
to assign roles to a service account.
ROLES=insights.role.viewer,insights.client.create,insights.client.delete
kxi user assign-roles service-account-$KC_CLIENT_ID --roles $ROLES
Replace the following:
$KC_CLIENT_ID
: Client that you want to add the roles to$ROLES
: Comma-separated list of roles to assign
Note
View available roles with kxi user get-available-roles
Service account user names
Each client has an associated service account user named service-account-$KC_CLIENT_ID
. This is the one that you need to assign the role to.
Retrieving a secret
To retrieve the client secret for a service account in the administration console:
- Click Clients in the menu.
- Click the client that you want to retrieve the secret for.
- Click the Credentials tab.
- Click Copy to clipboard to copy the client secret (
$KC_CLIENT_SECRET
).
Use kxi user get-client-secret
to retrieve the client secret.
KC_CLIENT_SECRET=$(kxi user get-client-secret $KC_CLIENT_ID)
Obtaining an access token
To obtain an access token using the CLI, you must first configure and then authenticate your CLI. For more information on authentication, refer to the Authenticating as a service account.
-
Configure your CLI.
kxi configure
-
Authenticate using your service account.
kxi auth login --serviceaccount
-
Obtain your access token.
kxi auth print-token
Initial service account
You can create a service account when installing kdb Insights Enterprise. Set service account details in the install configuration file.
keycloak:
initClient:
enabled: true # Enable the service account
clientId: "test-publisher" # Name for the service account
clientSecret: "sp3cials3cr3t" # Secret for the service account
Read the configuration documentation for information.
Default clients
kdb Insights Enterprise comes with internal clients as part of the application. These are for system use and should not be updated by the user.
client |
---|
account |
account-console |
admin-cli |
broker |
gui |
kxi-operator |
realm-management |
security-admin-console |