Skip to content

Managing service accounts

Service accounts are used to enable programmatic access to Insights services.

Creating service accounts

To create a new service account in the administration console:

  1. Log into the administration console.
  2. Choose the target realm ($REALM_NAME) from the top-left realm drop-down.
  3. Click Clients in the menu.
  4. Click Create client.
  5. Leave the client type as OpenID Connect.
  6. Enter a Client ID.
  7. Click Next.
  8. Toggle Client authentication to ON.
  9. Select Service account roles.
  10. Click Save.

Assigning roles

Assign roles to a service account through the Service accounts roles tab for that client.

  1. Log into the administration console.
  2. Click Clients in the menu.
  3. Click the client that you want to add the roles to.
  4. Click the Service accounts roles tab.
  5. Click Assign role.
  6. Select the role you want to assign from the dialog.
  7. Click Assign

Use kxi user to assign roles to a service account.

ROLES=insights.role.viewer
kxi user assign-roles service-account-$CLIENT_ID --roles $ROLES

Replace the following:

  • $CLIENT_ID: Client that you want to add the roles to
  • $ROLES: Comma-separated list of roles to assign

Note

View available roles with kxi user get-available-roles

Service account user names

Each client has an associated service account user named service-account-$CLIENT_ID. This is the one that you need to assign the role to.

Retrieving a secret

To retrieve the client secret for a service account in the administration console:

  1. Click Clients in the menu.
  2. Click the client that you want to retrieve the secret for.
  3. Click the Credentials tab.
  4. Click the Copy to clipboard button to copy the client secret.

Obtaining an access token

You can use the CLI to obtain an access token.

variable description
$KC_CLIENT_ID Client ID for the service account
$KC_CLIENT_SECRET Client secret for the service account 
export INSIGHTS_TOKEN=$(kxi auth get-access-token --client-id=$KC_CLIENT_ID --client-secret=$KC_CLIENT_SECRET)

Initial service account

You can create a service account when installing kdb Insights Enterprise. Set service account details in the install configuration file.

keycloak:
  initClient:
    enabled: true                  # Enable the service account
    clientId: "test-publisher"     # Name for the service account
    clientSecret: "sp3cials3cr3t"  # Secret for the service account

Read the configuration documentation for information.

Default clients

kdb Insights Enterprise comes with internal clients as part of the application. These are for system use and should not be updated by the user.

client
account
account-console
admin-cli
broker
gui
kxi-operator
realm-management
security-admin-console