Managing service accounts
Service accounts are used to enable programmatic access to Insights services.
Creating service accounts
To create a new service account in the administration console:
- Log into the administration console.
- Choose the target realm (
$REALM_NAME
) from the top-left realm drop-down. - Click Clients in the menu.
- Click Create client.
- Leave the client type as OpenID Connect.
- Enter a Client ID.
- Click Next.
- Toggle Client authentication to ON.
- Select Service account roles.
- Click Save.
Assigning roles
Assign roles to a service account through the Service accounts roles tab for that client.
- Log into the administration console.
- Click Clients in the menu.
- Click the client that you want to add the roles to.
- Click the Service accounts roles tab.
- Click Assign role.
- Select the role you want to assign from the dialog.
- Click Assign
Use kxi user
to assign roles to a service account.
ROLES=insights.role.viewer
kxi user assign-roles service-account-$CLIENT_ID --roles $ROLES
Replace the following:
$CLIENT_ID
: Client that you want to add the roles to$ROLES
: Comma-separated list of roles to assign
Note
View available roles with kxi user get-available-roles
Service account user names
Each client has an associated service account user named service-account-$CLIENT_ID
. This is the one that you need to assign the role to.
Retrieving a secret
To retrieve the client secret for a service account in the administration console:
- Click Clients in the menu.
- Click the client that you want to retrieve the secret for.
- Click the Credentials tab.
- Click the Copy to clipboard button to copy the client secret.
Obtaining an access token
You can use the CLI to obtain an access token.
variable | description |
---|---|
$KC_CLIENT_ID | Client ID for the service account |
$KC_CLIENT_SECRET | Client secret for the service account |
export INSIGHTS_TOKEN=$(kxi auth get-access-token --client-id=$KC_CLIENT_ID --client-secret=$KC_CLIENT_SECRET)
Initial service account
You can create a service account when installing kdb Insights Enterprise. Set service account details in the install configuration file.
keycloak:
initClient:
enabled: true # Enable the service account
clientId: "test-publisher" # Name for the service account
clientSecret: "sp3cials3cr3t" # Secret for the service account
Read the configuration documentation for information.
Default clients
kdb Insights Enterprise comes with internal clients as part of the application. These are for system use and should not be updated by the user.
client |
---|
account |
account-console |
admin-cli |
broker |
gui |
kxi-operator |
realm-management |
security-admin-console |