2 minute read
Working with Service Accounts
- You are logged on to the Gardener Dashboard
- You have created a project.
The cluster operations that are performed manually in the dashboard or via
kubectl can be automated using the Gardener API. You need a service account to be authorized to perform them.
The service account of a project has access to all Kubernetes resources in the project.
Create a Service Account
Select your project and choose MEMBERS from the menu on the left.
Locate the section Service Accounts and choose +.
Enter the service account details.
The following Roles are available:
Role Granted Permissions Admin Fully manage resources inside the project, except for member management. Also the delete/modify permissions for
ServiceAccounts are now deprecated for this role and will be removed in a future version of Gardener, use the
Service Account Managerrole instead.
Viewer Read all resources inside the project except secrets. UAM Manage human users or groups in the project member list. Service accounts can only be managed admins. Service Account Manager This allows to fully manage service accounts inside the project namespace and request tokens for them. Please refer to this document. For security reasons this role should not be assigned to service accounts, especially it should be prevented that a service account can refresh tokens for itself.
Use the Service Account
To use the service account, download or copy its
Delete the Service Account
Choose Delete Service Account to delete it.