Service Accounts

Service Accounts provide a secure and controlled method for programmatic access to the Phase platform. Service accounts are non-human users that can use various authentication mechanisms to access resources such as secrets within the applications and environments it has been granted access to.

Service accounts share many of the properties and behavior of human user accounts. Service Accounts follow an Access Policy that can be defined by Managed Roles or Custom Roles based on the permissions required. Service accounts are secured with the same security and cryptographic architecture as user accounts, and must be manually provisioned access to Apps and Environments in order to access secrets.

Create a new Service Account

To create a new Service Account:

1. Navigate to Access Control page from the sidebar and click on the Service Accounts tab.

2. Click the Create Service Account button in the center of the screen, if you have previously created service accounts you will see in the top right corner of the screen.

3. Give your new service account an Account name and choose a Role and Click "Create Service Account".

By default, when you create a new Service Account it uses the Service role that's managed by Phase which only has access to secrets at the Application level.

Service role secret access policy:

You may choose to select a different Managed role or a Custom role by clicking the one from the dropdown.

Click "Create service account". This will create a new account with the chosen name and role.

Once the account is created, you will see it listed in the table.

Manage a Service Account

You can manage a Service Account from the account detail page, accessible by clicking the "Manage" account button. Here you will find information about this account including the account name, role, App / Environment access and tokens.

Update account name

To update the name of an account, simply click the account name at the top of the page and edit it in place. Click "Save" to save your changes.

Update account role

To update an account's role, click the role label to open the dropdown and select a role from the list. The selected role will be applied on selection.

Delete account

To delete a Service Account, click on the "Delete" button at the bottom of the page. This will permanently delete this account and all associated tokens. Confirm that you want to delete this account by clicking "Delete" on the confirm dialog.

Account KMS

Each Service Account has its own unique keyring, just like User accounts. KMS modes determine who has access to the service account's keyring and can create and manage tokens for this service account.

Client-side KMS

By default, Service Accounts use Client-side KMS. This means only designated users with the required ServiceAccountTokens permissions have access to create and manage tokens for this service account. These users are called Service Account Handlers and have access the service account's keyring, encrypted with their own keys.

Server-side KMS

You can optionally enable Server-side KMS for a Service Account. This grants the Phase backend access to the service account's keyring, effectively making the backend a Service Account Handler. Enabling Server-side KMS allows the backend to create and manage tokens on behalf of the Service Account. This is required to use features such as External Identities.

Manage KMS mode

You can manage the KMS mode for a Service Account by clicking the Manage button beside the account KMS indicator at the top of the account page:

Select the KMS mode you want to use and click Save:

Create a new Service Account Token

You can find instructions on how to create a Service Account Token here.

Add a Service Account to an App

You can find instructions on adding Service Account to Apps here.

Manage account Network Access Policies

You can find instructions on managing Network Access Policies for Service Accounts here.