Service Accounts

Though users interact with strongDM by logging into their account and connecting datasources, this workflow isn’t useful for more automated functionality like BI tools or ETL workflows. That’s why you can create service account tokens to provide tokenized account access for fully automated strongDM use. This guide describes setting up and using service account tokens. To create service accounts, you’ll need to have admin access to the strongDM Admin UI.

Service account tokens are used for programmatically accessing service accounts, which can only run queries via datasources.

Note: If you’re looking for admin, relay, or gateway tokens, check out the Admin Token Guide, the Relay Guide, or the Gateway Guide respectively.

Setting up a service account token

Service account tokens come from creating service accounts on the main Users page. Click the add service button and name the account.

Create Service Account

Click create and the token will appear in a pop-up window. Copy this now, as this is the only time the token will be visible.

Service Account Token Secret

The service account can now be granted access to datasources and servers like any other user account, and is identified by a service badge to the right of the account name.

Using the service account token

Now that you have a service account token, you need to get it into your environment to use. The process is simple.

Connecting to datasources

If your organization uses port overrides you can enable the option to automatically connect to all granted datasources/servers on login. This is the easiest way to ensure your service account deployments are always able to connect to all available datasources. This option is available under Settings > Port Overrides.

Autoconnect

If you do not enable this option, service account deployments can connect to datasources the same way as regular users: running sdm connect <datasource name or substring>.

In Linux or Mac command line

  1. Set the environment variable SDM_ADMIN_TOKEN. You can do this for the current shell by using export or make it more permanent by placing it in .bashrc, .bash_profile, or the equivalent for your preferred shell. You could also add this variable to the top of any shell scripts you’re planning to use SDM with. Alternately, you can use the token at the command-line for a one-time login (at which point the token doesn’t need to remain in the environment) like this: $ SDM_ADMIN_TOKEN=<token> sdm login

  2. Install the SDM client (the Mac GUI, or in Linux run sudo ./sdm install). In Linux, it will take the token from the environment to use for authentication. In Mac, log in (as in the section below) in the GUI with the token, or run sdm login at the CLI with the token in your environment.

  3. Try sdm status to verify that the authentication token is properly visible to SDM.

     $ sdm status
         DATASOURCE NAME     STATUS            PORT      TYPE
         pgsql_1_31          not connected     5432      postgres
    
         SSH SERVER          STATUS            PORT      TYPE
         server-245a         not connected     61334     ssh
    

    If the output is unavailable: Unable to contact strongDM API, then the token was not properly read by SDM.

In Mac or Windows GUI

  1. Start the SDM GUI client

  2. At the login window, hit <esc> three times. This should change the login window to say service account token. Paste in the token and click continue.

    GUI login with service account token

  3. Use SDM GUI as normal.

At this point you should be able to set up your scripts or automations to use sdm commands and run queries and SSH sessions with no further configuration needed.

As a Windows Service

For Windows server environments where it is desirable to have the strongDM network run as a service, strongDM provides a Windows Serivice Account installer.