Working with Service Account
Last updated
English
Last updated
Service Account is an identity that you can create in your account that has specific permissions. Service Account has some similarities to IAM users. Service Account and IAM User Account are both identities with Policies that define what the identity can and cannot do with VNG Cloud resources. However, Service Account is an identity used by an application or a machine, not a person, to make authorized API calls and access specified resources.
To create a Service Account, follow the steps below:
Log in to with Root User Account.
Select Service Account .
Select Create a Service Account.
In the Add information section , enter the Name you want. The Service Account name must be from 1 (minimum) to 50 (maximum) characters long and can only include uppercase letters, lowercase letters (az, AZ), numbers (0-9), periods (.), underscores (_), hyphens (-) and spaces ( ). The Service Account name should not contain sensitive information (e.g. IP address, login password, etc.) and the Service Account name must be unique on a VNG Cloud account until the Service Account is deleted. For example, the following Service Account name is valid: SA_Client_tool_01.
In the Trusted relationship field, enter Account Root IS if you want to add association information between the Service Account and the Root User Account.
Select Next step .
In the Add permission section , you can:
Select 1 or more policies that you have to associate with the Service Account. The vIAM system supports you to assign multiple policies to a Service Account. If these policies contain independent permissions, they will complement each other (ie the permission list is merged). On the contrary, if these policies contain conflicting permissions, you will not be able to access the corresponding resources according to this permission list (ie the permission list is merged and when conflicting, they will cancel each other out).
If the policy list does not have the policy you want, you can continue with the steps below and we accept policy creation after creating the Service Account.
Select Copy to copy the Secret key. You must collect this information to access vStorage using the Service Account.
Select Download to download this secret key and store it on your local device.
Select Back to list to return to the screen containing the Service Account list.
After you complete the 10 steps above, a Service Account has been created.
To initialize a policy used to access vStorage resources, follow the steps below:
Select the Policy folder .
Select Create a Policy .
Enter Name and Description if given for Policy.
Select Next step .
Select Product as vstorage-hcm04 .
Select Actions :
Select Allow permissions : by default, the vIAM system will always be on, which means allowing permissions to be applied to the policy. If you turn this mode off, the system will deny (reverse) the corresponding permissions.
Allow permissions : allow access according to the selected action.
Deny permissions : deny access according to the selected action.
Select All vstorage-hcm04 actions if you want to create a policy that has the right to perform all actions on vStorage. Or you can select some specific actions that you want to authorize for the Service Account.
Select Resources : select All resources.
Select Request conditions: enter special conditions for the policy if any.
Once you have created the desired Service Account and Policy, you will need to link the Service Account to the policy as per the instructions below:
Select the Service Account folder .
Select the Service Account you want to assign permissions to.
Select Attach policies .
Select the policies you want. The vIAM system supports you to assign multiple policies to a Service Account. If these policies contain independent permissions, they will complement each other (ie the permission list is merged). On the contrary, if these policies contain conflicting permissions, you will not be able to access the corresponding resources according to this permission list (ie the permission list is merged and when conflicting, they will cancel each other out).
Select Attach .
To grant access to bucket/object for Service Account, you need to grant permission via Bucket Policy, specifically the steps are as follows:
In the Identity and Access Management section , copy the vStorage User ID information in the List of Service Account section .
Continue to select the Bucket you want to assign permissions to the Service Account.
Select the Action icon and select Configure policy.
Here, you can choose the configuration for each Statement on the left or directly edit the JSON file in the right column. Specifically, the structure of a Bucket Policy includes:
Version : Specifies the version of the Bucket Policy (recommended "2012-10-17").
Statement : Each policy will have one or more Statements (specific purposes of the policy).
Effect : Allowor Denyaccess.
Principal : The object granted access, which is the IAM vStorage User ID information you copied above
Action : Actions allowed on the bucket, for example: s3:GetObject(view object), s3:PutObject(upload object), s3:DeleteObject(delete object),…
Resource : Specific buckets and objects affected by the policy (using ARN to identify resources).
Condition : (Optional) Specific condition that restricts access.
5. Select Save to save the Bucket Policy configuration.
Follow the steps below to work with vStorage via Service Account
Select the Integration folder .
Select the vStorage API icon .
In the Authentication section , you need to fill in the necessary information to configure your vStorage API including:
Enter the Client ID . A Client ID is a string of characters used by the Service API to identify your application, and is also used to construct the "authorization URL" displayed to the user. You can create and manage Client IDs through the vIAM system. The Client ID is automatically generated when you create a new Service Account .
Once you've finished selecting your authentication configuration , select Authentication to go to the Configuration screen . Here you can use the vStorage APIs directly, or you can use the API via Postman . You can always come back here to change your Authorization information , then select Authentication again to update the S3 Rest API list with your new parameters.
To cancel (delete) a previously created Service Account, follow the instructions below:
Select Service Account .
On the list of existing Service Accounts, select one or more Service Accounts that you want to cancel (delete).
Select Delete .
Once the Service Account is successfully cancelled, you will no longer be able to use this Service Account to access vStorage. Be careful when cancelling (deleting) a Service Account as you will not be able to recover this deleted account.
Log in to with Root User Account.
Log in to with Root User Account.
Log in to .
Select iconin the project containing the bucket you want to grant permissions to.
Log in to .
Enter the Client Secret corresponding to the Client ID you just entered. The Client ID and Client Secret pair are created and managed by you through the vIAM system. You can select so we can navigate you to the vIAM system and in detail the Service Account management screens.
For details, please refer to .
Log in to with Root User Account.
