Channel service accounts#

Note

Channel service accounts are only available in Package Security Manager (On-prem) version 6.6.5.

Channel service accounts are non-human user identities used by Package Security Manager to access and interact with channels programmatically. Once enabled, a service account named service-account-channel-<CHANNEL_NAME> is automatically created whenever a new channel is established.

Because this feature is not enabled by default, you must configure your system to allow the creation of these accounts and provide them with the permissions they need to take actions on channels on your behalf.

Enabling channel service accounts#

  1. Open Anaconda Prompt (Terminal on macOS/Linux) and connect to your instance of Package Security Manager.

  2. Navigate to the ate-installer-*/keycloak directory.

  3. Using your preferred editor, open the kc.yaml file for editing. You might need to use the sudo directive to get permissions to edit the file. For example:

    # Replace <INSTALLER_DIRECTORY> with your installer directory
    cd ~/<INSTALLER_DIRECTORY>/keycloak/
    sudo vi kc.yaml
    
  4. Add the manage-clients role to the clients: - client_roles: realm-management: section of the repo-account-sync client as shown below:

    clients:
      - clientId: repo-account-sync
        description: KC internal management client
        redirectUris:
          - /api/auth/callback/kc
        serviceAccountsEnabled: true
        protocolMappers:
          - name: username
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            config:
              "user.attribute": username
              "claim.name": user_name
              "id.token.claim": true
              "access.token.claim": true
              "userinfo.token.claim": true
        client_roles:
          realm-management:
            - manage-users
            - manage-realm
            - manage-clients
    
  5. Save the changes and close the file.

  6. Navigate back to the ate-installer-* directory.

  7. Using your preferred editor, open the docker-compose.yml file for editing.

  8. Add the following environment variable to the repo_api: environment: section:

    REPO_CHANNEL_SERVICE_ACCOUNT=True
    
  9. Save your changes and close the file.

  10. Apply your environmental changes by running the following commands:

    docker compose up -d
    

Managing channel service accounts#

Channel service accounts can be managed using the Command Line Interface (CLI) or the Application Programming Interface (API).