Create Cloud Foundry Service Accounts

In this Topic you will learn how to create Cloud Foundry Service Accounts and how you can use them. Service Accounts can be used to access the Cloud Foundry API and interact with your spaces without using your personalized access credentials. This is especially helpful if you want to automate the deployment of your app or other interactions with your application. With a Service Account you can restrict what the automation tool can do and access and keep your personal access credentials secret.

The Service Account in the Marketplace

Our service that is offering technical account creation is called space-scoped-service-account on the cf marketplace - you can easily retrieve more information about it via the Cloud Foundry CLI using the following command:

cf marketplace -s space-scoped-service-account

Currently we are offering the following service plans:

Name	CF Role	Description
space-deployer	SpaceDeveloper	A service account for continuous deployment, limited to a single space
space-auditor	SpaceAuditor	A service account for auditing configuration and monitoring events limited to a single space

Step by step to the Service Account

After you decided what the proper service plan is for your use-case, you need to do the following steps:

1. Create a new service instance with the plan and give it proper name:

   cf create-service space-scoped-service-account space-deployer <SERVICE_ACCOUNT_NAME>

2. Create a service key for the service you just created:

   cf create-service-key <SERVICE_ACCOUNT_NAME> <SERVICE_KEY_NAME>

   The username is autogenerated from the space name, so you need to specify an additional prefix, if you like to add additional accounts to the same space:

   cf create-service-key <SERVICE_ACCOUNT_NAME> <SERVICE_KEY_NAME2> -c '{\"user_prefix\": \"<SERVICE_KEY_PREFIX>\"}'

3. The actual credentials can be retrieved if you look at the service-key that you created in the last step:

   cf service-key <SERVICE_ACCOUNT_NAME> <SERVICE_KEY_NAME>

There is no password expiration for your service accounts, so you are not forced to change the password regularly. Refer to this guide, if you like to change the password for your service account: “Do a password rotation”.

Assign the SpaceDeveloper role to an existing account

The service account is automatically added to the space where you create the service in. The broker also grants the Cloud Foundry role that is corresponding to the chosen service plan to the service account. Depending on you requirements, you can either create a service per space or grant the SpaceDeveloper role to one service account for all of your spaces.

Assigning the SpaceDeveloper role to a user needs at least the SpaceManager role in the target space. Most of the time this is done by the OrgManager.

cf set-space-role <SERVICE_ACCOUNT_NAME> <ORG_NAME> <SPACE_NAME> SpaceDeveloper