Channel service accounts#

Note

Channel service accounts are only available in Package Security Manager version 6.6.5 or later.

Channel service accounts are non-human user identities used by Package Security Manager to access and interact with channels programmatically. Once enabled, a service account named service-account-channel-<CHANNEL_NAME> is automatically created whenever a new channel is established.

Because this feature is not enabled by default, you must configure your system to allow the creation of these accounts and provide them with the permissions they need to take actions on channels on your behalf.

Enabling channel service accounts#

  1. Open Anaconda Prompt (Terminal on macOS/Linux) and connect to your instance of Package Security Manager.

  2. Navigate to the ate-installer-*/keycloak directory.

  3. Using your preferred editor, open the kc.yaml file for editing. You might need to use the sudo directive to get permissions to edit the file. For example:

    # Replace <INSTALLER_DIRECTORY> with your installer directory
cd ~/<INSTALLER_DIRECTORY>/keycloak/
sudo vi kc.yaml

  4. Add the manage-clients role to the clients: - client_roles: realm-management: section of the repo-account-sync client as shown below:

    clients:
  - clientId: repo-account-sync
    description: KC internal management client
    redirectUris:
      - /api/auth/callback/kc
    serviceAccountsEnabled: true
    protocolMappers:
      - name: username
        protocol: openid-connect
        protocolMapper: oidc-usermodel-attribute-mapper
        config:
          "user.attribute": username
          "claim.name": user_name
          "id.token.claim": true
          "access.token.claim": true
          "userinfo.token.claim": true
    client_roles:
      realm-management:
        - manage-users
        - manage-realm
        - manage-clients

  5. Save the changes and close the file.

  6. Navigate back to the ate-installer-* directory.

  7. Using your preferred editor, open the docker-compose.yml file for editing.

  8. Add the following environment variable to the repo_api: environment: section:

    REPO_CHANNEL_SERVICE_ACCOUNT=True

  9. Save your changes and close the file.

  10. Apply your environmental changes by running the following commands:

    docker compose up -d

Managing channel service accounts#

Channel service accounts can be managed using the Command Line Interface (CLI) or the Application Programming Interface (API).

On this page