Service Account
A Service Account is a special identity within an org designed for automation tasks such as CI/CD pipelines, scripts, and other non-human integrations. It is created with a special email domain of the form name@org.sandbox and has an org membership with a role of either Admin or Member.
Login
A service account can only be used after logging in as it. Login requires a LoginToken, which can be created after the service account is set up. An optional expiry time can be set on the token.
Once a LoginToken is created, it can be used in the following ways:
- CLI:
cs login -t LOGIN-TOKEN - Web URL:
https://SYS-DOMAIN/auth/token/LOGIN-TOKEN
This is the standard approach for granting an existing automation pipeline (e.g. a CI/CD system) access to the Crafting system using the cs CLI.
SSH Keypair
Similar to a regular user, a service account also has its own managed SSH keypair. The public key can be revealed using:
cs secret show --owner=SERVICE_ACCOUNT_EMAIL default-ssh-0
This SSH public key can typically be added as a deploy key in the version control system, granting the service account read-only access to source repositories for automated checkout operations.
See Also
- Managed SSH Keypair — details on the managed SSH keypair feature
- Org and User — org membership and roles
- Secret — secrets and access control