Service Accounts in Coalesce
Service accounts are non-human accounts used to run automated processes, deployments, and scheduled jobs in Coalesce. Unlike individual user accounts, service accounts aren’t tied to a specific employee. This makes them more reliable for production workloads and easier to manage when team members change.
This guide explains how to configure service accounts, assign the correct roles, set up authentication, and follow security and licensing best practices.
Role and Permission Recommendations
Service accounts should follow the principle of least privilege. Only assign the roles needed for their intended purpose.
- Org Contributor
- Org Member
- Project Member
- Environment Reader
- Environment Admin (only if the service account must deploy or refresh)
If a service account is responsible for deployments or refreshes, it must have the Environment Admin role.
Authentication Method
For service accounts, key pair authentication is strongly recommended. Key pairs provide stable machine-to-machine connections, reduce overhead, and avoid issues with expiring tokens. OAuth or username/password authentication should be avoided when setting up service accounts.
Use Cases and Best Practices
Service accounts are best suited for tasks where human intervention isn’t required:
- Production deployments and refreshes: Keeps these processes separate from personal accounts.
- Scheduled jobs and automation: Ensures jobs continue running even if team members leave.
- CI/CD processes: Allows external tools to automate deployments securely.
Environment Strategy
Use personal accounts for development work. Reserve service accounts for higher environments such as QA, UAT, and Production.
For stronger security isolation, consider creating separate service accounts for each environment.
Licensing and Management
- Service accounts do not count toward your Coalesce license allocation.
- Most organizations use one or two service accounts.
Security Considerations
To keep service accounts secure, follow these best practices:
- Use distribution list emails instead of personal email addresses.
- Distribute private keys securely using encrypted methods.
- Assign only the minimum required privileges for the account’s role.
Steps to Create a Service Account in Coalesce
Follow these steps to create and configure a service account in Coalesce:
-
Go to the top right of the Coalesce interface and click Organization Settings.
-
Click Add New User.
- Set the first name as Service and last name as Account (or use a similar naming convention).
- Use a distribution email address such as
coalesce_svc@yourcompany.com
instead of a personal email.
-
Assign the service account to the appropriate role based on its intended use. You'll need to set it on the Org, Project, and Environment level. If the service account is used for deployments, ensure it has the necessary environment permissions.
-
Choose your authentication method. We recommend:
- Key Pair for Snowflake
- Machine-to-Machine for Databricks
-
If your Coalesce project integrates with Snowflake, create a corresponding service account in Snowflake using SQL:
USE ROLE USERADMIN;
CREATE USER <SERVICE-USER-USERNAME> PASSWORD='<SERVICE-USER-PASSWORD>'
FIRST_NAME='DCR' LAST_NAME='Service User'
EMAIL='<SERVICE-USER-EMAIL-ADDRESS>';