Service Accounts
Overview
Service accounts in Thalassa Cloud are non-human identities designed for automated systems and applications. They provide secure access to cloud resources without using human user accounts. Service accounts are perfect for CI/CD pipelines, monitoring systems, and other automated tools that need programmatic access.
Service accounts use long-term credentials that don’t expire unless you revoke them. This makes them suitable for systems that need persistent access without human intervention. You can also use service accounts with Workload Identity Federation (OIDC) for more secure, credential-less authentication.
When to Use Service Accounts
Use service accounts for:
- CI/CD pipelines that deploy applications
- Monitoring systems that collect metrics
- Backup systems that need access to storage
- Automation scripts that manage infrastructure
- Any system that needs automated access without human interaction
Don’t use service accounts for human users. Human users should use their personal accounts with appropriate roles and permissions.
How Service Accounts Work
Service accounts are identities that can have roles and permissions assigned to them. They work just like user accounts, but they’re designed for machines and applications. When you create a service account, you can assign it roles that define what it can do.
Service accounts use access credentials to authenticate with Thalassa Cloud APIs. These credentials are long-lived and don’t expire automatically. You can also use service accounts with workload identity federation, which allows external systems to authenticate using OIDC tokens instead of storing credentials.
Creating Service Accounts
Step 1: Navigate to Service Accounts
- Go to IAM in your organisation dashboard
- Click on the “Service Accounts” tab
- Click “Create Service Account” button
Step 2: Enter Account Details
Enter a name for your service account. Use descriptive names that explain what the account is for. For example:
ci-cd-pipelinefor CI/CD systemsmonitoring-servicefor monitoring toolsbackup-systemfor backup services
Add a description that explains the account’s purpose. This helps others understand when and why this service account was created. Clear descriptions make it easier to manage service accounts over time.
Step 4: Create the Service Account
Review your configuration and click “Create Service Account”. The service account is now created and ready to use.
Assign Roles and Permissions
After creating the service account, you can assign roles to the service account, allowing the service account to take actions on the Thalassa Cloud API.
Select from predefined roles or create custom roles that match your needs. Choose roles that give the service account only the permissions it needs to do its job.
For example, a CI/CD pipeline might need:
- Read access to Kubernetes clusters
- Write access to container registries
- Read access to VPCs and networking resources
A monitoring service might only need:
- Read access to Kubernetes clusters
- Read access to compute resources
Follow the principle of least privilege. Only grant the minimum permissions needed.
Managing Access Credentials
After creating a service account and assigning the permissions, you need to create access credentials to authenticate with Thalassa Cloud APIs.
Creating Access Credentials
Step 1: Navigate to the Service Account
- Go to IAM → Service Accounts
- Select the service account you want to create credentials for
Step 2: Create Credentials
- Click “Create Access Credentials” or “Add Credentials”
- Enter a name for the credentials (e.g.,
production-credentials,staging-credentials) - Optionally add a description explaining where these credentials will be used
Step 3: Save Credentials
- Click “Create Credentials”
- Copy the credentials immediately. You won’t be able to see them again after closing the dialog
- Store the credentials securely in a secrets manager or password vault
Using Access Credentials
Once you have credentials, you can use them to authenticate with Thalassa Cloud APIs. You can use credentials with:
- The tcloud CLI
- Terraform provider
- Direct API calls
- Other tools that support Thalassa Cloud authentication
Example with tcloud CLI:
tcloud --oidc-client="access-key" --oidc-secret="<access-secret>" kubernetes listRotating Credentials
Rotate credentials regularly for security. When you rotate credentials:
- Create new credentials for the service account
- Update your systems to use the new credentials
- Verify everything works with the new credentials
- Delete the old credentials
This ensures that if credentials are compromised, they become useless quickly.
Revoking Credentials
If credentials are compromised or no longer needed, revoke them immediately:
- Go to the service account’s page
- Find the credentials you want to revoke
- Click “Delete” or “Revoke”
- Confirm the deletion
Revoked credentials stop working immediately. Make sure you have new credentials ready before revoking old ones.
Using Service Accounts with OIDC Identity Federation (Recommended)
Service accounts can be used with workload identity federation for more secure authentication. Instead of storing long-lived credentials, external systems can use OIDC tokens to impersonate service accounts.
This is more secure because:
- No credentials to store or leak
- Tokens are short-lived and automatically expire
- Tokens are tied to specific conditions (repositories, branches, environments)
For example, GitHub Actions can use OIDC tokens to authenticate as a service account without storing credentials in secrets.
To set up workload identity federation, see the Workload Identity Federation documentation.
Related Documentation
- RBAC Roles: Learn how to configure permissions for service accounts
- Workload Identity Federation: Use OIDC for service account impersonation
- Managing Teams: Organise users and manage access
- Inviting Members: Learn about user accounts