| title | slug | description | keywords | page_purpose | audience | author | content_owner | sort_order |
|---|---|---|---|---|---|---|---|---|
Set up an Artifactory service account |
setup-artifactory-service-account |
Describes how a user can set up their Artifactory service accounts. |
Archeobot, Artifactory, images, artifact, Artifactory management, service account |
Details how to set up Artifactory service accounts. |
technical lead, developer |
Jonathan Bond |
Cailey Jones |
8 |
Last updated: January 30, 2024
Artifactory access is controlled through Artifactory service accounts. Service accounts are meant to be shared by teams and used by automation tools like pipelines.
When referring to service accounts, keep in mind the following differences:
ArtifactoryServiceAccountrefers to an OpenShift object with typeArtifactoryServiceAccount. This is a custom resource that the Platform Services team created in OpenShift.- Artifactory "service account" refers to the actual account that exists inside the Artifactory software, which you can then use to interact with Artifactory's features. While closely related to each other, they're not the same.
An Artifactory service account is not required to make use of the remote (caching) Docker repositories or the Platform Team's images in bcgov-docker-local. There are cluster-wide pull secrets that allow you to make use of these Docker repos without any additional effort. You can learn how to do this in our Pull artifacts from Artifactory documentation. A separate Artifactory service account is only required for pulling Docker images from private repositories, or artifacts other than Docker images.
You are able to create your Artifactory Service Account in any namespace, so feel free to organize them into namespaces in whatever way best suits your team's needs. The Platform Team recommends using the -tools namespace as a default option.
If you are working in the Gold and Gold-DR clusters, please note that Archeobot, the operator overseeing the creation and maintenance of ArtifactoryServiceAccount objects, operates solely in Gold and not in Gold DR. You must initiate the creation of the ArtifactoryServiceAccount object in the Gold cluster, and Archeobot will generate the associated objects (such as your pull secrets) in your Gold namespace. The responsibility lies with your team to synchronize these secrets with Gold DR.
Run the following command to create a new service account:
oc process -f https://raw.githubusercontent.com/bcgov/platform-services-archeobot/master/archeobot/config/samples/tmpl-artifactoryserviceaccount.yaml -p NAME="[ASAname]" -p DESCRIPTOR="[Description of Service Account]" | oc create -f -The ASAname refers to the name of the ArtifactoryServiceAccount object, not the actual account. The Platform Team recommends choosing a name that reflects how you plan to use the account. For instance, if you're creating an account specifically for your Tekton pipeline, a suitable name could be tekton for the Artifactory Service Account object. This results in a secret named artifacts-tekton-[random] and an account named tekton-[namespace]-[random]. There's no need to worry about name collisions with other teams; your account name incorporates your namespace plate (the six alphanumeric characters preceding -tools, -dev, -test, or -prod in the namespace name). Even if another team named their ArtifactoryServiceAccount tekton, they have a distinct name.
Once Archeobot reconciles your changes, you can utilize this account to access Artifactory.
To gather the random license plate assigned to the end of each ArtifactoryServiceAccount name and obtain additional details, execute oc describe artsvcacct default. This command provides information about the reconciliation status and other account details. If you require assistance with the Artifactory service account object, make sure to include both the spec and status information in your support ticket.
Note: ArtifactoryServiceAccount objects have two available short-names to make them easier to use in the CLI: ArtSvcAcct and ArtSA.
You can get the username and password out of the secret using the following command:
oc get secret/artifacts-default-[random] -o json | jq '.data.username' | tr -d "\"" | base64 -d
oc get secret/artifacts-default-[random] -o json | jq '.data.password' | tr -d "\"" | base64 -dYou can delete a service account by deleting the ArtifactoryServiceAccount object through the OpenShift CLI.
You can use the following command to accomplish it:
oc delete ArtifactoryServiceAccount [ASAname] or oc delete artsvcacct [ASAname].
After completing this process, Archeobot takes care of relevant cleanup tasks, including secrets generated for you. If you attempt to delete the default service account, a new one will be recreated. It's important to note that Archeobot only manages the cleanup of secrets it has generated specifically for you. If you have created any secrets independently using this account's information, such as a secret in Gold DR, you will need to delete that secret manually.
If you have unintentionally deleted the secret for your Artifactory service account, follow the commands above to delete the ArtifactoryServiceAccount object. Archeobot will detect the deletion of the object and subsequently remove the service account from Artifactory.
If you delete the default service account this way, a new one will automatically be created for you. Otherwise, you're free to create a new service account using the steps outlined in Create a service account. This will create for you a new service account with new secrets that you can use.
Keep in mind that this is a new account, and that you will need to re-add this account to your Artifactory Project(s), if necessary. Instructions for this can be found in our Setup an Artifactory project and repository documentation.