Hierarchical Support for Service Accounts
This feature is behind the PL_ENABLE_SERVICE_ACCOUNT_HIERARCHY feature flag. Contact Harness Support to enable it.
Service accounts can be created at a higher scope and inherited by lower scopes with the necessary permissions, eliminating the need to create separate accounts for each organization or project.
The following example shows how to use an account-level service account in a project. You can apply the same process to use account-level service accounts in organizations.
- Interactive
- Manual
Step 1: Create account-level service account
Create a Service Account at the account level. This service account can then be inherited by organizations or projects.
Step 2: Create project-level role and resource group
In your target project:
- Create a Role with the required permissions
- Create a Resource Group defining what resources can be accessed
Roles and resource groups can only be modified at the scope where they were originally assigned. Inherited roles and resource groups are visible at lower scopes but cannot be edited there.
Step 3: Inherit and assign permissions
-
Navigate to Project Settings → Access Control → Service Accounts
-
Select Inherit Service Account & Assign Roles
-
Choose your account-level service account
-
Assign the project-level role and resource group
-
Select Apply
The service account is now available for this project.
Benefits
-
Centralized Service Account Management: Reduces the need to create and manage multiple service accounts for each project.
-
Simplified Permissions: Easily manage permissions at the project level by assigning roles to service accounts created at the account or organization level.
-
Seamless Pipeline Execution: One or more service accounts can be given the necessary permissions, if required, to execute pipelines from multiple projects.
Additional Resources
For more information on how to manage service accounts, create roles, and assign permissions in Harness, refer to the following documentation on Harness Developer Hub: