Service Accounts

With Garden Cloud you can create service accounts that act as users. These can be e.g. used when running Garden Core from CI and when running Cloud Workflows or Automatic Environment Cleanups.

Creating a service account

Start by going to the team page.

From here, click the "Add user" button and check the "Service account" checkbox.

In the screenshot above we've added the service account to the "Developers" group but you can of course choose whatever group has the permission that meet your needs.

In general you should always ensure that users and service accounts don't have more permissions than they need. You can learn more in our guide on roles and permissions.

Once created, you can create secrets for your service account just like for any other user.

Creating an access token

To authenticate as the service account when running Garden you need to create an access token.

Click the edit pencil next to the service account to open the "Update user" modal and create the access token.

Make sure to note it down because it's only displayed once.

Now you can use this access token to authenticate against Garden Cloud when running Garden, e.g. in CI, with the GARDEN_AUTH_TOKEN environment variable.

Note that you should not add the token in plain text to your CI configuration. Instead store it as a secret with your CI provider.

For example, in your CI pipeline, you might run the following command (where my-auth-token-reference refers to a variable not the plain text value):

GARDEN_AUTH_TOKEN=<my-auth-token-reference> garden deploy

Cloud Workflows and Automatic Environment Cleanup

You can use service accounts to run Cloud Workflows and AEC jobs.

Simply go the settings page for the given project, click the gear icon for the relevant environment and select the service account.

Last updated