Documentation
Guides
HomePortalStatus

Service Account Installation

Suggest Edits

Service accounts are accounts that aren't tied to a human identity. They are designed for machines or servers, for example a monitoring node or ci-cd server. For these cases, you can use a machine token (service account) to connect as a client to your Border0 VPN. Service accounts are similar to human accounts but are specifically for machines that cannot connect with an SSO account.

Creating a Service Account

The first step is to create a service account. New service accounts can be created on the Team page, under "Service Accounts."

When asked for the Role, make sure to select "Client Access Only." Give the service account a name and create a token for it. The token should be kept secret as it represents the service account's credentials.

Downloading the Client

Next, download the Border0 client for your operating system:

sudo curl https://download.border0.com/linux_amd64/border0 \
    -o /usr/local/bin/border0 \
    && sudo chmod +x /usr/local/bin/border0

sudo curl https://download.border0.com/linux_arm/border0 \    
    -o /usr/local/bin/border0 \
    && sudo chmod +x /usr/local/bin/border0

sudo curl https://download.border0.com/linux_arm64/border0 \
    -o /usr/local/bin/border0 \
    && sudo chmod +x /usr/local/bin/border0

sudo curl https://download.border0.com/darwin_amd64/border0 \
    -o /usr/local/bin/border0 \
   && sudo chmod +x /usr/local/bin/border0

curl https://download.border0.com/windows_amd64/border0.exe -o border0.exe

Installing the Service Using the Service Account

First, export the service account token as an environment variable:

export BORDER0_TOKEN=YTNkZWQ4OGI2O.....

Next, install the border0 VPN client as a service. The --start-vpn flag will ensure it automatically starts the VPN tunnel:

sudo -E border0 node install --start-vpn

Alternatively, instead of using the BORDER0_TOKEN environment variable, you can point to a file containing the token using the --token flag. 

sudo border0 node install --start-vpn --token from:file:/path/to/your/token/file

Example headless installation:

root@cicd-server:~# export BORDER0_TOKEN=YTNkZWQ4OGI2O.....
root@cicd-server:~# border0 node install --start-vpn  
šŸš€ Border0 device service installed successfully!  
šŸš€ Border0 device service started successfully!

Check the status of the service:

service border0 status

If all went well, the device should now appear as online on the Devices page:


Managing Service Account Access

From now on, you can add this service account to Policies, just like any other identity, and provide it with the granular access it needs for its role. You can also monitor all of its sessions on the Session Log page, giving you full visibility into its activity. This allows you to manage access for your automated systems just as effectively as you manage access for your human users

šŸ“˜

Don't forget to add your Service Account to a Policy.

Make sure to give the service account sufficient permissions by adding it to the appropriate policy. Without being included in a policy the service account will not be able to connect to anything.


Service account Session log

Service account Session log

Updated 14 days ago