# Service Account

{% hint style="info" %}
This is an older version of the document. To view the most recent version of the document, click [here](https://docs.opsmx.com/products/orchestration-module-opsmx-enterprise-for-spinnaker-oes/additional-feature-configuration/secure-spinnaker/authorization/service-account).
{% endhint %}

## Steps to Create Service Accounts for Spinnaker <a href="#steps-to-create-service-accounts-for-spinnaker" id="steps-to-create-service-accounts-for-spinnaker"></a>

### Overview <a href="#overview" id="overview"></a>

* To automatically trigger pipelines and to modify the resources in accounts or applications, Fiat Service Accounts are used. This means that a GIT commit could trigger a Jenkins build that could kick off a pipeline to deploy the newly built image in your access-controlled QA environment.

### Steps to Create Service Accounts <a href="#steps-to-create-service-accounts" id="steps-to-create-service-accounts"></a>

* Service accounts are persistent and configuration merely consists of giving it a name and a set of roles. Therefore, Front50 is the most logical place to configure a service account. There is no UI for creating service accounts at the moment.
* The roles you give this service account determine who has access to use it. In order to prevent a privilege escalation vulnerability, only users with every role the service account has may use it.
* Ensure to Update when Halyard Support Service Accounts. Till then, execute the below

  ```
  FRONT50=http://front50.url:8080

  curl -X POST \
  -H "Content-type: application/json" \
  -d '{ "name": "sekret-service-account@spinnaker-test.net", "memberOf": ["myApp-
  prod","myApp-qa"] }' \
  $FRONT50/serviceAccounts
  ```
* Newly created Service account can be seen,

  ```
  curl $FRONT50/serviceAccounts
  ```
* To pick up the changes made, its mandate to sync Fiat

  ```
  FIAT=http://fiat.url:7003

  curl -X POST $FIAT/roles/sync
  ```
* Ensure to provide all the necessary permissions for the newly created service account

  ```
  curl $FIAT/authorize/myApp-svc-account
  ```

### How to use Service Accounts <a href="#how-to-use-service-accounts" id="how-to-use-service-accounts"></a>

* Now that Fiat is enabled, user should be able to see “Run As User” option in the Trigger configuration. This list contains all the service accounts currently can be accessed
* Upon saving the pipeline, two authorization checks will occur:
  1. Does the user have access to this service account?
  2. Does the service account have access to this application?
* At pipeline runtime, standard authorization checks against the account and application occur just as if it were a human user.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.opsmx.com/opsmx-context-graph-and-data-fabric/additional-resources/previous-releases/isd-3.10/orchestration-module-opsmx-enterprise-for-spinnaker-oes/additional-feature-configuration/secure-spinnaker/authorization/service-account.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.