Global Service Accounts

Global service accounts are an extension of team-based service accounts that can perform actions that require system level permissions. To restrict the risk involved in granting system permissions, global service accounts are packaged in specific roles. Each role has only the permissions needed to perform a specific task, such as managing access keys, or ingesting Prometheus remote write metric. Admins can create a global service account through the API by generating a bearer token.

Prerequisites

To create, manage, and delete global service accounts, you must:

Manage Global Service Accounts

Admins can create or delete a global service account by performing an API call. For instructions, access the Next Gen API documentation and go to the Service Accounts section.

Here, you can find API calls to:

  • Retrieve a list of all service accounts.
  • Create a new global service account.
  • Delete a global service account.

When you create a global service account, select one of Sysdig’s pre-configured roles from the list of Available Global Service Accounts Roles.

Available Global Service Accounts Roles

A number of preset global service accounts exist, each with its own set of unique permissions. They include the following:

Runtime Insights

ROLE_RUNTIME_INSIGHTS allows risk spotlight integration. The role contains these permissions:

  • secure.risk-spotlight-integrations.read

Cloud Ingestion - Okta

ROLE_CLOUDINGESTION_OKTA allows cloud ingestion from Okta. The role contains these permissions:

  • cloudingestion-okta-ingest.write

Cloud Ingestion - GitHub

ROLE_CLOUDINGESTION_GITHUB allows cloud ingestion from GitHub. The role contains these permissions:

  • cloudingestion-github-ingest.write

Cloud Ingestion - GCP

ROLE_CLOUDINGESTION_GCP allows cloud ingestion from GCP. The role contains these permissions:

  • cloudingestion-gcp-ingest.write

Prometheus Remote Write

ROLE_PROM_REMOTE_WRITE allows ingestion of Prometheus remote write metrics. The role contains these permissions:

  • ingest.prws

Access Keys

ROLE_MANAGE_ACCESS_KEYS allows you to manage access keys. The role contains these permissions:

  • access-keys.read
  • access-keys.edit

Custom Roles

ROLE_MANAGE_CUSTOM_ROLES allows you to manage custom team roles. The role contains these permissions:

  • permissions.read
  • custom-team-roles.read
  • custom-team-roles.create
  • custom-team-roles.update
  • custom-team-roles.delete

Group Mappings

ROLE_MANAGE_GROUP_MAPPINGS allows you to manage group mappings. The role contains these permissions:

  • permissions.read
  • custom-team-roles.read
  • custom-team-roles.create
  • custom-team-roles.update
  • custom-team-roles.delete

Single Sign On Settings

ROLE_MANAGE_SSO_SETTINGS allows you to manage single sign on settings. The role contains these permissions:

  • sso-active.edit
  • sso.config

User Provisioning

ROLE_USER_PROVISONING allows you to manage users and teams. The role contains these permissions:

  • customer-teams.read
  • teams.create
  • teams.edit
  • teams.delete
  • memberships.read
  • memberships.edit
  • memberships-roles.edit
  • users.create
  • users.read
  • users.edit
  • group-mappings.read
  • group-mappings.edit

User and Zone Provisioning

ROLE_USER_ZONE_PROVISIONING allows you to manage users, teams, and zones. The role contains these permissions:

  • customer-teams.read
  • teams.create
  • teams.edit
  • teams.delete
  • memberships.read
  • memberships.edit
  • memberships-roles.edit
  • users.create
  • users.read
  • users.edit
  • group-mappings.read
  • group-mappings.edit
  • zones.read
  • zones.edit