Skip to main content

Service Accounts in Coalesce

Service accounts are non-human accounts used to run automated processes, deployments, and scheduled jobs in Coalesce. Unlike individual user accounts, service accounts aren’t tied to a specific employee. This makes them more reliable for production workloads and easier to manage when team members change.

This guide explains how to configure service accounts, assign the correct roles, set up authentication, and follow security and licensing best practices.

Role and Permission Recommendations

Service accounts should follow the principle of least privilege. Only assign the roles needed for their intended purpose.

Recommended roles:

  • Org Contributor
  • Org Member
  • Project Member
  • Environment Reader
  • Environment Admin (only if the service account must deploy or refresh)

If a service account is responsible for deployments or refreshes, it must have the Environment Admin role.

Authentication Method

For service accounts, key pair authentication is strongly recommended. Key pairs provide stable machine-to-machine connections, reduce overhead, and avoid issues with expiring tokens. OAuth or username/password authentication should be avoided when setting up service accounts.

Use Cases and Best Practices

Service accounts are best suited for tasks where human intervention isn’t required:

  • Production deployments and refreshes: Keeps these processes separate from personal accounts.
  • Scheduled jobs and automation: Ensures jobs continue running even if team members leave.
  • CI/CD processes: Allows external tools to automate deployments securely.

Environment Strategy

Use personal accounts for development work. Reserve service accounts for higher environments such as QA, UAT, and Production.

For stronger security isolation, consider creating separate service accounts for each environment.

Licensing and Management

Security Considerations

To keep service accounts secure, follow these best practices:

  • Use distribution list emails instead of personal email addresses.
  • Distribute private keys securely using encrypted methods.
  • Assign only the minimum required privileges for the account’s role.

Steps to Create a Service Account in Coalesce

Follow these steps to create and configure a service account in Coalesce:

  1. Go to the top right of the Coalesce interface and click Organization Settings.

  2. Click Add New User.

    1. Set the first name as Service and last name as Account (or use a similar naming convention).
    2. Use a distribution email address such as coalesce_svc@yourcompany.com instead of a personal email.
  3. Assign the service account to the appropriate role based on its intended use. You'll need to set it on the Org, Project, and Environment level. If the service account is used for deployments, ensure it has the necessary environment permissions.

    Org Settings page showing a modal dialog to add a new user, with fields for first name, last name, email, password option, and role selection. ‘Service Account’ is entered as the name, and the role is set to Org Member.
  4. Choose your authentication method. We recommend:

  5. If your Coalesce project integrates with Snowflake, create a corresponding service account in Snowflake using SQL:

   USE ROLE USERADMIN;
CREATE USER <SERVICE-USER-USERNAME> PASSWORD='<SERVICE-USER-PASSWORD>'
FIRST_NAME='DCR' LAST_NAME='Service User'
EMAIL='<SERVICE-USER-EMAIL-ADDRESS>';