Channel service accounts#
Note
Channel service accounts are only available in Package Security Manager (On-prem) version 6.6.5.
Channel service accounts are non-human user identities used by Package Security Manager to access and interact with channels programmatically. Once enabled, a service account named service-account-channel-<CHANNEL_NAME>
is automatically created whenever a new channel is established.
Because this feature is not enabled by default, you must configure your system to allow the creation of these accounts and provide them with the permissions they need to take actions on channels on your behalf.
Enabling channel service accounts#
Open Anaconda Prompt (Terminal on macOS/Linux) and connect to your instance of Package Security Manager.
Navigate to the
ate-installer-*/keycloak
directory.Using your preferred editor, open the
kc.yaml
file for editing. You might need to use thesudo
directive to get permissions to edit the file. For example:# Replace <INSTALLER_DIRECTORY> with your installer directory cd ~/<INSTALLER_DIRECTORY>/keycloak/ sudo vi kc.yaml
Add the
manage-clients
role to theclients: - client_roles: realm-management:
section of therepo-account-sync
client as shown below:clients: - clientId: repo-account-sync description: KC internal management client redirectUris: - /api/auth/callback/kc serviceAccountsEnabled: true protocolMappers: - name: username protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper config: "user.attribute": username "claim.name": user_name "id.token.claim": true "access.token.claim": true "userinfo.token.claim": true client_roles: realm-management: - manage-users - manage-realm - manage-clients
Save the changes and close the file.
Navigate back to the
ate-installer-*
directory.Using your preferred editor, open the
docker-compose.yml
file for editing.Add the following environment variable to the
repo_api: environment:
section:REPO_CHANNEL_SERVICE_ACCOUNT=True
Save your changes and close the file.
Apply your environmental changes by running the following commands:
docker compose up -d
Managing channel service accounts#
Channel service accounts can be managed using the Command Line Interface (CLI) or the Application Programming Interface (API).