Service accounts

Posit Connect supports Kubernetes Service Account assignment for content jobs. Service accounts provide identity for Kubernetes workloads and facilitate fine-grained access control against the Kubernetes API or other external resources.

For example, a Kubernetes configuration can restrict access to a particular S3 bucket by service account. To successfully access this bucket, a content job launched by Connect would require an identity that is configured with permissions to access that S3 bucket.

Labeling service accounts for Connect

Connect discovers available service accounts by the presence of the connect.posit.co/service-account label key. The label value is not checked. Apply this label to any service account that content should be allowed to use:

Terminal
kubectl label sa <service-account-name> connect.posit.co/service-account=true -n <namespace>

Only labeled service accounts appear in the Connect dashboard and are available for assignment to content.

Global default service account

Set a default service account for all content jobs through the Helm chart:

values.yaml
backends:
  kubernetes:
    defaultResourceJobBase:
      spec:
        template:
          spec:
            serviceAccountName: "connect-content-sa"

If no service account is explicitly set for a piece of content, Connect uses this value. If no global default is configured, Connect does not specify a service account and Kubernetes uses the namespace default (typically default).

Content-level service accounts

Connect administrators can set a service account for individual content items, overriding the global default. This is done through the dashboard or the content API.

Publishers can view the configured service account for their content but cannot modify it.

Service account selection order

Connect selects the service account for a content job in this order:

  1. Content-level service account (set through the dashboard or API)
  2. Global default service account (set in the Helm chart)
  3. No service account specified (falls back to the namespace default on the cluster)

Troubleshooting

A service account does not appear in the dashboard

Verify the service account has the connect.posit.co/service-account label:

Terminal
kubectl get sa -l connect.posit.co/service-account -n <namespace>

If the label is missing, add it:

Terminal
kubectl label sa <name> connect.posit.co/service-account=true -n <namespace>

A content job fails with a service account error

Verify the service account exists in the namespace where content jobs run. Check the Connect server logs for details about the failure.