https://prefect.io logo
#prefect-community
Title
# prefect-community
a

Alex Shea

05/06/2022, 12:36 AM
I just started at a company using perfect, but it's a version from before service accounts. I want to bring it up to match the docs and guides, but I am failing to understand the need for more than one service account with agent runs. What is the benefit to having individual service accounts for each agent instead of one service account with one key per agent?
a

Anna Geller

05/06/2022, 12:40 AM
one benefit would be a more fine granular permission scope/separation of concerns kind of. Imagine you would want to shut down a machine and deactivate the API key. Similarly, if your VM instance would get compromised somehow, you could deactivate the respective API key
but you could use the same API key for multiple agents - technically it's totally possible
a

Alex Shea

05/06/2022, 12:53 AM
So you are saying if you have the keys separated by service accounts, then I could just deactivate the service account and not need to worry about accidental overuse. Technically the key of that service account could still be shared though and it's a matter of controls is how I see it. We also only have access to the three built in roles so the granularity sounds to be something we may want to gain by upgrading plans. What kind of granular controls might I see?
a

Anna Geller

05/06/2022, 12:56 AM
it's a matter of controls is how I see it
yup, 💯 if you are asking about RBAC, this is something available only on an Enterprise plan and you would need to talk to sales@prefect.io to set it all up - or were you asking about something else?
a

Alex Shea

05/06/2022, 12:59 AM
You mentioned granular controls between service accounts for systems. I have not seen anything outside of admin, user, viewer. I would assume you are talking rbac, but don't like assuming.
k

Kevin Kho

05/06/2022, 2:30 AM
If we are talking about 1.0, you can make custom roles.
upvote 1
a

Anna Geller

05/06/2022, 11:08 AM
@Alex Shea if you need RBAC and more granular permission boundaries for various things, talking to sales@prefect.io will be more productive than discussing it here since those features are Enterprise only
👍 1
5 Views