Service Account Management

Managing service accounts

Add a service account

Using the IAM API

Prerequisite:

A service account consists of a user ID and a RSA private key.

  1. To add a service account using the DC/OS Identity and Access Management (IAM) API, generate a RSA private key first using OpenSSL.

    1. openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:2048

  2. Extract the corresponding public key from the private key.

    1. openssl rsa -pubout -in private-key.pem -out public-key.pem

  3. Convert the public key file contents to a string with escaped newline characters.

    1. export PUBLIC_KEY=$(sed ':a;N;$!ba;s/\n/\\n/g' public-key.pem)

  4. Replace <uid> with the desired value in the following command and execute it:

    1. curl -i -X PUT http://<host-ip>/acs/api/v1/users/<uid> -d '{"public_key": "'"$PUBLIC_KEY"'"}' -H 'Content-Type: application/json' -H "Authorization: token=$TOKEN"

List service accounts

Using the IAM API

Prerequisite:

To list all configured service accounts using the DC/OS Identity and Access Management (IAM) API execute the following command:

  1. curl -i -X GET "http://<host-ip>/acs/api/v1/users?type=service" -H 'Content-Type: application/json' -H "Authorization: token=$TOKEN"

Change a service account public key

Using the IAM API

Prerequisite:

To change a service account’s public key using the DC/OS Identity and Access Management (IAM) API provide a new public key in the public-key.pem file. Then replace <uid> in the following command and execute it:

  1. curl -i -X PATCH http://<host-ip>/acs/api/v1/users/<uid> -d '{"public_key": "'"$(sed ':a;N;$!ba;s/\n/\\n/g' public-key.pem)"'"}' -H 'Content-Type: application/json' -H "Authorization: token=$TOKEN"

Remove a service account

Using the IAM API

Prerequisite:

To remove a local user account using the DC/OS Identity and Access Management (IAM) API, replace <uid> with the corresponding value and execute the following command:

  1. curl -i -X DELETE http://<host-ip>/acs/api/v1/users/<uid> -H 'Content-Type: application/json' -H "Authorization: token=$TOKEN"