Zum Inhalt springen
Produkte
Plattform
Developer Tools
Portal

Attach Service Accounts to servers

Diese Seite ist noch nicht in deiner Sprache verfügbar. Englische Seite aufrufen

This page describes how to attach a custom, managed Service Account to a server.

Attaching a Service Account to a server allows applications running on that instance to authenticate to STACKIT APIs and services without handling long-lived credentials. The server retrieves temporary tokens using the Metadata Service, ensuring a more secure and manageable authentication process.

Prerequisites

Section titled “Prerequisites”

To attach a Service Account to a server, you must have specific permissions that allow you to “act as” the Service Account and to “create” or “modify” the server instance.

1. Permission to use the Service Account

Section titled “1. Permission to use the Service Account”

You must have the permission to assume the identity of or “act as” the specific Service Account you wish to attach. This ensures that users can only authorize code to run with the privileges of Service Accounts they explicitly control.

Required permission:

  • iam.service-account.act-as

This permission is included in the following predefined roles:

ScopePredefined roles
Organization / folder / project
  • owner
  • editor
  • iam.service-account-user
Service Account level
  • user

2. Permission to configure the virtual machine

Section titled “2. Permission to configure the virtual machine”

You must also have permission to modify the specific server instance (or create a new one) where the Service Account will be attached.

Required permission (either one is sufficient):

  • iaas.server.create (create server)
  • iaas.server.service-account.add (modify server)

These permissions are included in the following predefined roles:

ScopePredefined roles
Organization
  • owner
  • editor
  • iaas.admin
Folder / project
  • owner
  • editor
  • iaas.admin
  • compute.admin

How it works

Section titled “How it works”

When you attach a Service Account to a server, you are essentially bridging two resources. Therefore, the authorization check validates your access to both sides of the operation:

  • The identity: The system checks if you have the iam.service-account.act-as permission on the Service Account resource.
  • The resource: The system checks if you have the iaas.server.service-account.add permission on the project, folder, or organization where the VM is being created.

Attaching a Service Account

Section titled “Attaching a Service Account”

During server creation

Section titled “During server creation”

When creating a new instance, you can specify a user-managed Service Account to be associated with the server. Ensure your User Account holds the roles listed above for the project where the server is being created and for the Service Account you are selecting.

To an existing server

Section titled “To an existing server”

You can update an existing instance to attach or replace a Service Account. This operation requires the same iaas.server.service-account.add permission on the existing instance and the iam.service-account.act-as permission on the target Service Account.