Though users interact with strongDM by logging into their account and connecting datasources, this workflow isn’t useful for more automated functionality like BI tools or ETL workflows. That’s why you can create service account tokens to provide tokenized account access for fully automated strongDM use. This guide describes setting up and using service account tokens. To create service accounts, you’ll need to have admin access to the strongDM Admin UI.
Service account tokens are used for programmatically accessing service accounts, which can only run queries via datasources.
Service account tokens come from creating service accounts on the main Users page. Click the add service button and name the account.
Click create and the token will appear in a pop-up window. Copy this now, as this is the only time the token will be visible.
The service account can now be granted access to datasources and servers like any other user account, and is identified by a service badge to the right of the account name.
Now that you have a service account token, you need to get it into your environment to use. The process is simple.
If your organization uses port overrides you can enable the option to automatically connect to all granted datasources/servers on login. This is the easiest way to ensure your service account deployments are always able to connect to all available datasources. This option is available under Settings > Port Overrides.
If you do not enable this option, service account deployments can connect to datasources the same way as regular users: running
sdm connect <datasource name or substring>.
Set the environment variable SDM_ADMIN_TOKEN. You can do this for the current shell by using
export or make it more permanent by placing it in
.bash_profile, or the equivalent for your preferred shell. You could also add this variable to the top of any shell scripts you’re planning to use SDM with. Alternately, you can use the token at the command-line for a one-time login (at which point the token doesn’t need to remain in the environment) like this:
$ SDM_ADMIN_TOKEN=<token> sdm login
Install the SDM client (the Mac GUI, or in Linux run
sudo ./sdm install). In Linux, it will take the token from the environment to use for authentication. In Mac, log in (as in the section below) in the GUI with the token, or run
sdm login at the CLI with the token in your environment.
sdm status to verify that the authentication token is properly visible to SDM.
$ sdm status DATASOURCE NAME STATUS PORT TYPE pgsql_1_31 not connected 5432 postgres SSH SERVER STATUS PORT TYPE server-245a not connected 61334 ssh
If the output is
unavailable: Unable to contact strongDM API, then the token was not properly read by SDM.
Start the SDM GUI client
At the login window, hit
<esc> three times. This should change the login window to say
service account token. Paste in the token and click continue.
Use SDM GUI as normal.
At this point you should be able to set up your scripts or automations to use
sdm commands and run queries and SSH sessions with no further configuration needed.
For Windows server environments where it is desirable to have the strongDM network run as a service, strongDM provides a Windows Serivice Account installer.