# Service Account

{% hint style="info" %}
This is an older version of the document. To view the most recent version of the document, click [here](https://docs.opsmx.com/products/orchestration-module-opsmx-enterprise-for-spinnaker-oes/additional-feature-configuration/secure-spinnaker/authorization/service-account).
{% endhint %}

## Steps to Create Service Accounts for Spinnaker <a href="#steps-to-create-service-accounts-for-spinnaker" id="steps-to-create-service-accounts-for-spinnaker"></a>

### Overview <a href="#overview" id="overview"></a>

* To automatically trigger pipelines and to modify the resources in accounts or applications, Fiat Service Accounts are used. This means that a GIT commit could trigger a Jenkins build that could kick off a pipeline to deploy the newly built image in your access-controlled QA environment.

### Steps to Create Service Accounts <a href="#steps-to-create-service-accounts" id="steps-to-create-service-accounts"></a>

* Service accounts are persistent and configuration merely consists of giving it a name and a set of roles. Therefore, Front50 is the most logical place to configure a service account. There is no UI for creating service accounts at the moment.
* The roles you give this service account determine who has access to use it. In order to prevent a privilege escalation vulnerability, only users with every role the service account has may use it.
* Ensure to Update when Halyard Support Service Accounts. Till then, execute the below

  ```
  FRONT50=http://front50.url:8080

  curl -X POST \
  -H "Content-type: application/json" \
  -d '{ "name": "sekret-service-account@spinnaker-test.net", "memberOf": ["myApp-
  prod","myApp-qa"] }' \
  $FRONT50/serviceAccounts
  ```
* Newly created Service account can be seen,

  ```
  curl $FRONT50/serviceAccounts
  ```
* To pick up the changes made, its mandate to sync Fiat

  ```
  FIAT=http://fiat.url:7003

  curl -X POST $FIAT/roles/sync
  ```
* Ensure to provide all the necessary permissions for the newly created service account

  ```
  curl $FIAT/authorize/myApp-svc-account
  ```

### How to use Service Accounts <a href="#how-to-use-service-accounts" id="how-to-use-service-accounts"></a>

* Now that Fiat is enabled, user should be able to see “Run As User” option in the Trigger configuration. This list contains all the service accounts currently can be accessed
* Upon saving the pipeline, two authorization checks will occur:
  1. Does the user have access to this service account?
  2. Does the service account have access to this application?
* At pipeline runtime, standard authorization checks against the account and application occur just as if it were a human user.