I just started at a company using perfect, but it's a version from before service accounts. I want to bring it up to match the docs and guides, but I am failing to understand the need for more than one service account with agent runs. What is the benefit to having individual service accounts for each agent instead of one service account with one key per agent?

one benefit would be a more fine granular permission scope/separation of concerns kind of. Imagine you would want to shut down a machine and deactivate the API key. Similarly, if your VM instance would get compromised somehow, you could deactivate the respective API key

So you are saying if you have the keys separated by service accounts, then I could just deactivate the service account and not need to worry about accidental overuse. Technically the key of that service account could still be shared though and it's a matter of controls is how I see it. We also only have access to the three built in roles so the granularity sounds to be something we may want to gain by upgrading plans. What kind of granular controls might I see?

it's a matter of controls is how I see it

yup, 💯 if you are asking about RBAC, this is something available only on an Enterprise plan and you would need to talk to sales@prefect.io to set it all up - or were you asking about something else?

You mentioned granular controls between service accounts for systems. I have not seen anything outside of admin, user, viewer. I would assume you are talking rbac, but don't like assuming.

If we are talking about 1.0, you can make custom roles.

@Alex Shea if you need RBAC and more granular permission boundaries for various things, talking to sales@prefect.io will be more productive than discussing it here since those features are Enterprise only