Managing service accounts

Service accounts are used to enable programmatic access to Insights services. The following table displays the key variables used in the process of managing service accounts.

Variable	Description
$KC_CLIENT_ID	Client ID for the service account
$KC_CLIENT_SECRET	Client secret for the service account

Creating service accounts

Keycloak Admin Console UI CLI

To create a new service account in the Keycloak administration console:

1. Log into the administration console.
2. Choose the target realm ($REALM_NAME) from the top-left realm drop-down.
3. Click Clients in the menu.
4. Click Create client.
5. Leave the client type as OpenID Connect.
6. Enter a Client ID ($KC_CLIENT_ID).
7. Click Next.
8. Toggle Client authentication to ON.
9. Select Service account roles.
10. Click Save.

Use kxi user create-client to create a new service account.

KC_CLIENT_ID="test-publisher"
kxi user create-client $KC_CLIENT_ID

Assigning roles

Keycloak Admin Console UI CLI

Assign roles to a service account through the Service accounts roles tab for that client:

1. Log into the administration console.
2. Click Clients in the menu.
3. Click the client that you want to add the roles to.
4. Click the Service accounts roles tab.
5. Click Assign role.
6. Select the role you want to assign from the dialog.
7. Click Assign

Use kxi user assign-roles to assign roles to a service account.

ROLES=insights.role.viewer,insights.client.create,insights.client.delete
kxi user assign-roles service-account-$KC_CLIENT_ID --roles $ROLES

Replace the following:

• $KC_CLIENT_ID: Client that you want to add the roles to
• $ROLES: Comma-separated list of roles to assign

Note

View available roles with kxi user get-available-roles

Service account user names

Each client has an associated service account user named service-account-$KC_CLIENT_ID. This is the one that you need to assign the role to.

Retrieving a secret

Keycloak Admin Console UI CLI

To retrieve the client secret for a service account in the administration console:

1. Click Clients in the menu.
2. Click the client that you want to retrieve the secret for.
3. Click the Credentials tab.
4. Click Copy to clipboard to copy the client secret ($KC_CLIENT_SECRET).

Use kxi user get-client-secret to retrieve the client secret.

KC_CLIENT_SECRET=$(kxi user get-client-secret $KC_CLIENT_ID)

Obtaining an access token

To obtain an access token using the CLI, you must first configure and then authenticate your CLI. For more information on authentication, refer to the Authenticating as a service account.

1. Configure your CLI.

   kxi configure
   

2. Authenticate using your service account.

   kxi auth login --serviceaccount
   

3. Obtain your access token.

   kxi auth print-token
   

Initial service account

You can create a service account when installing kdb Insights Enterprise. Set service account details in the install configuration file.

keycloak:
  initClient:
    enabled: true                  # Enable the service account
    clientId: "test-publisher"     # Name for the service account
    clientSecret: "sp3cials3cr3t"  # Secret for the service account

Read the configuration documentation for information.

Default clients

kdb Insights Enterprise comes with internal clients as part of the application. These are for system use and should not be updated by the user.

client
account
account-console
admin-cli
broker
gui
kxi-operator
realm-management
security-admin-console