Service Account
A Service Account is a special identity within an org designed for automation tasks such as CI/CD pipelines, scripts, and other non-human integrations. It is created with a special email domain of the form name@org.sandbox and has an org membership with a role of either Admin or Member.
Login
A service account can only be used after logging in as it. Login requires a LoginToken, which can be created after the service account is set up. An optional expiry time can be set on the token.
Once a LoginToken is created, it can be used in the following ways:
- CLI:
cs login -t LOGIN-TOKEN - Web URL:
https://SYS-DOMAIN/auth/token/LOGIN-TOKEN
This is the standard approach for granting an existing automation pipeline (e.g. a CI/CD system) access to the Crafting system using the cs CLI.
SSH Keypair
Similar to a regular user, a service account also has its own managed SSH keypair. The public key can be revealed using:
cs secret show --owner=SERVICE_ACCOUNT_EMAIL default-ssh-0
This SSH public key can typically be added as a deploy key in the version control system, granting the service account read-only access to source repositories for automated checkout operations.
Linked Email
A Service Account is assigned a special email address suffixed by @org.sandbox, which cannot be used as an identity to access external services (for example, pushing git commits).
To allow a service account to access external services from inside a sandbox, a Linked Email can be assigned to it.
A common use case is enabling the service account to push git commits:
- Add the SSH public key of the service account to a GitHub user account.
- Set the Linked Email of the service account to the email address of that GitHub user account.
- From inside a workspace, a default
gitconfigis already configured with the Linked Email, so the service account can push git commits directly.
See Also
- Managed SSH Keypair — details on the managed SSH keypair feature
- Org and User — org membership and roles
- Secret — secrets and access control