2 minute read  

Working with Service Accounts


The cluster operations that are performed manually in the dashboard or via kubectl can be automated using the Gardener API. You need a service account to be authorized to perform them.

The service account of a project has access to all Kubernetes resources in the project.

Create a Service Account

  1. Select your project and choose MEMBERS from the menu on the left.

  2. Locate the section Service Accounts and choose +.

    Add service account

  3. Enter the service account details.

    Enter service account details

    The following Roles are available:

    RoleGranted Permissions
    AdminFully manage resources inside the project, except for member management. Also the delete/modify permissions for ServiceAccounts are now deprecated for this role and will be removed in a future version of Gardener, use the Service Account Manager role instead.
    ViewerRead all resources inside the project except secrets.
    UAMManage human users or groups in the project member list. Service accounts can only be managed admins.
    Service Account ManagerThis allows to fully manage service accounts inside the project namespace and request tokens for them. Please refer to this document. For security reasons this role should not be assigned to service accounts, especially it should be prevented that a service account can refresh tokens for itself.
  4. Choose CREATE.

Use the Service Account

To use the service account, download or copy its kubeconfig.

Download service account kubeconfig

Delete the Service Account

Choose Delete Service Account to delete it.

Delete service account