Service Accounts

Service accounts are machine identities that enable automated machine-to-machine access to resources (Sockets) through Border0, allowing scripts and applications to securely interact with our platform without human intervention. Essentially, they are machine accounts that can be used for automation, providing a secure and audited way to access resources. By using service accounts, you can streamline your workflows, improve efficiency, and reduce the risk of human error.

The service identities can have a role just like your human users. Based on the role, the service account will have access to sockets, and/or the Border0 admin API, which will allow it to manage your Border0 resources. Just like your human account, a service account can be added to a Border0 Policy, which will allow you to control to what Sockets the account will have access.

Creating a Service Account

Service Accounts can be created via API, CLI tool or in the Portal (click here)

To create a Service Account using the portal, navigate to "Team > Service Accounts" on the left menu panel. Note that every service account will need a Token too. So after creating a service account, select "Access Tokens" and then click the "New" button on the top of the Access Tokens page.

Create Service Account

All tokens must be given a role at creation-time. You can learn more about available roles in the Role Based Access Control (RBAC) page. The TL;DR; is:

  • If you want your service account to be able to manage Border0 itself, choose between the Admin, Member, or Read Only roles
  • If you only want to use your service account as a socket client, choose the Client Access Only role

Once we have our Service Account created we can proceed to creating Tokens and including it in access policies

Tokens and Service Accounts

Service Account Tokens can be created via API, CLI tool or by organization admins in the Portal

To create a token using the portal, navigate to "Team > Service Accounts" on the left menu panel.
After that, select the Service Account you wish to create a token for.

Once in the Details panel for your selected Service Account click the "Actions" button on the top of the page and select "Create token"

🚧

Remember to copy the token to your clipboard

You will not be able to retrieve it again

📘

Your token will look something like this

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdfaWQiOiJteS1hd2Vzb21lLW9yZy1pZCIsInR5cGUiOiJ0b2tlbiIsInVzZXJfaWQiOiJ0aGlzLWlzLW15LXVzZXItaWQifQ.m6sk5616to2_y_Y4hA2BbjCD_a_h64A7Rs6hWbUWS4k

🚧

Tokens are secrets!

Make sure you handle and store tokens with appropriate security tools and protocols. Token privilege level is inherited from the Service Account Role.

Policy Access

If you use your newly created service account to access Sockets (your servers) in an automated way, then the next step is to make sure your service account is added to the appropriate policy.

Add Service-Account to a policy

We can create a new policy for our service account or update an existing policy to grant access to our new Service Account.

Policy changes can be made via API, cli tool or by organisation admins in the Portal

To update any policy using the portal, navigate to "Policies" on the left menu panel, then select the policy you want to modify or use "New Policy" button to create a new policy.

In the example below, we'll be adding our new Service Account to existing "org-default-policy"

Once the Service Account is added to an access policy, any Token for that Service account can be used to access socket content, provided the policy allows it.

Using Your Service Account

To use your newly created service account token with the border0 cli you need to make the token available as an environment variable.

There are 2 variations depending on the use case, admin or client (Socket) access

Admin Access

You can use your new service account to perform administrative actions to your Border0 account. For example, listing and creating Sockets, users, policies and more.

BORDER0_ADMIN_TOKEN is used to interact with the administrative functions, creating resources or updating them etc.

For examples:

export BORDER0_ADMIN_TOKEN=<TOKEN>
border0 socket ls

or

export BORDER0_ADMIN_TOKEN=<TOKEN>

curl -X "GET" \
 https://api.border0.com/api/v1/sockets \
 -H "accept: application/json" \
 -H "Authorization: $BORDER0_ADMIN_TOKEN" 

Client Access

Service accounts can be used to access Sockets (your servers) through the Border0 platform. A typical example is machine-to-machine access.

BORDER0_CLIENT_TOKEN will only apply to client features while accessing sockets

For examples:

export BORDER0_CLIENT_TOKEN=<TOKEN>
border0 client ssh my-ssh-socket-demo.border0.io

or

export BORDER0_CLIENT_TOKEN=<TOKEN>

curl -X "GET" \
 https://api.border0.com/api/v1/client/resources \
 -H "accept: application/json" \
 -H "Authorization: $BORDER0_CLIENT_TOKEN" 

👍

Machine to Machine Access

Using client service accounts and their tokens enables programmatic use of Border0 and other M2M applications

Client Service Account Tokens can be used across all socket types. This means that HTTP sockets can be accessed like so:

export BORDER0_CLIENT_TOKEN=<TOKEN>

curl -X 'GET'  https://nginx1-demo.border0.io \
 -H "Border0-Token: $BORDER0_CLIENT_TOKEN"

Note: make sure your service account is added to the correct Policy to ensure your service account can access the socket.

👍

Automation with Ansible and AWX

Border0 released Ansible Tower/AWX integration, for details you can go to our knowledge base article: Ansible AWX

Working with Docker

We publish docker image alongside our binary toolkit release, you can pull it from GitHub registry. Below an example demonstrating how to access an ssh socket using a service account.

docker pull ghcr.io/borderzero/border0

docker run --rm -ti --env BORDER0_CLIENT_TOKEN=$BORDER0_CLIENT_TOKEN \
 ghcr.io/borderzero/border0 client ssh my-ssh-socket-demo.border0.io