Service accounts allow Data Service Admins to create service accounts with access keys that have an extended lifetime and can be used to integrate with 3rd party tools.
A common use case is allowing users to integrate their notebooks (e.g. Jupyter, Zeppelin), BI tools (e.g Tableau) or other 3rd party services to access Ascend on the user's behalf without using the user's credentials to do so. In this way, users can grant access to multiple 3rd parties and manage them separately. A classic example of this is how cloud providers allow administrators to create service accounts and assign them keys.
When creating an access key there are two credential types that can be used:
- Access Key ID + Secret - Used for applications that require both an access key and secret (e.g., API records access via notebooks, Tableau, etc.)
- API Token - Used for web-based access where authorization via an HTTP header is required (e.g., PowerBI)
Information - Service Accounts
- Data Service's User Admins can create or delete a Service Account for a Data Service.
- A Service Account is similar to an Ascend User in the permission model and is namespaced to a Data Service.
- Service Accounts are not visible on the Manage Member tabs, and vice versa.
- Data Service Team members who are not User Admin can see the list of Service Accounts, but cannot create, edit, or delete them.
Information - Service Account Keys
- User Admins can create access keys for Service Account.
- A User Admin can delete (revoke) access keys for a Service Account.
- A User Admin can change the role for a Service Account on the Manage Permissions tab.
- Keys can be created after the Service Account is created, by editing the Service Account.
- Access keys with "Access Key ID + Secret" credential type consist of an Access Key ID and a Secret Access Key. The Secret Access Key can only be viewed/copied when first generated.
- Access keys with "API Token" credential type consist of an API Token only. The API Token can only be viewed/copied when first generated.
- Multiple access keys can be created.
- Service Account access keys do not expire.
- Access keys cannot be modified or regenerated.
- Data Service Team members who are not User Admins cannot view, create, or delete access keys.
- Service accounts are managed via a separate tab similar to the existing Manage Members tab and can also be accessible from the Data Service dropdown under Data Service Settings.
- In the System Dashboard click on the Data Service Settings button for the Data Service that you want to create the service account for.
- Select the Service Accounts tab.
- Click Add New Service Account button and enter a name.
- Select a Permission for this service account:
- NO ACCESS: Disables the account.
- DATA FEED READ ONLY: Allows access to Data Feed(s) only. No access to other components (i.e. read/write connectors and transforms) or the Data Service. This permission is generally selected for services such as Tableau.
- READ ONLY: Allows read access to all connectors, transforms, and data feeds. Also allows read access to data service information and data flow information. This permission is generally selected for services such as notebooks (Jupyter, Zeppelin).
- Click the ADD button to create the account.
Generate the access keys with Access Key ID + Secret that will be needed when connecting your 3rd party service to Ascend.
- In the Service Accounts tab, click the + ACCESS KEY button in the drop-down
- A pop-up window displaying both the Access Key ID and Secret Access Key will be presented. THIS WILL BE THE ONLY TIME THAT YOU CAN VIEW YOUR SECRET ACCESS KEY SO MAKE SURE TO COPY THESE TO A SECURE AREA. You'll be using these again when you connect a 3rd party service to Ascend. This is the only opportunity to copy the secret access key. You may, however, create new access keys at any time.
Generate the access keys with an API Token that will be needed when connecting your 3rd party service to Ascend.
- In the Service Accounts tab, click the + API TOKEN button in the drop-down
- A pop-up window displaying the API Token will be presented. THIS WILL BE THE ONLY TIME THAT YOU CAN VIEW YOUR SECRET ACCESS KEY SO MAKE SURE TO COPY THESE TO A SECURE AREA. You'll be using these again when you connect a 3rd party service to Ascend. This is the only opportunity to copy the secret access key. You may, however, create new access keys at any time.
Updated 5 months ago