Service Accounts
Service Accounts
Service accounts offer a protected and standardized method of authenticating machine-to-machine communication between services protected by Pomerium.
Before you begin, confirm you are in the correct Namespace. A service account can only be used in the Namespace it was created in, including its children Namespaces.
From the main menu, select Service Accounts under CONFIGURE. Click the + ADD SERVICE ACCOUNT button:
Service accounts can be unique and exist only for Pomerium, or impersonate directory users from your IdP.
Give the user a unique ID, or select an existing user to impersonate. Consider referencing the Namespace you're creating it under, for easier reference later. Optionally set an expiration date:
The user ID set here corresponds to the
User
criteria when editing a policy.After you click Submit, the modal presents the JSON web token (JWT) for the service account. Temporarily save it somewhere secure, as you will not be able to view it again:
This JWT must be added to your application configuration to enable direct communication.
Edit or create policies to give the service account access to the internal service: