Creating a service account for each application and service that you connect to
Materialize is considered a security best practice. But until now, you’ve had to
provision a real email address for each service account (e.g.,
infra+production-dashboard@foo.corp) and manually click the link in each
activation email. This friction has been one of our most reported
issues.
Today, we rolled out native support for service accounts—no email addresses required! 🎉
If you have the Organization Admin role, you can use the App Passwords page in the Materialize Console to create service-type app passwords. You choose the name of the service user at the time you create the app password:
To manage service accounts with code, you can use our Terraform provider to create service accounts. Here’s an example of how you might provision a service account and appropriate privileges for a dashboard application using Terraform:
# Create the service user for the dashboard in the aws/us-east-1 region.
resource "materialize_role" "production_dashboard" {
name = "svc_production_dashboard"
region = "aws/us-east-1"
}
# Allow the dashboard user to use the "production_analytics" database.
resource "materialize_database_grant" "database_usage" {
role_name = materialize_role.production_dashboard.name
privilege = "USAGE"
database_name = "production_analytics"
region = "aws/us-east-1"
}
# Create an app password for the dashboard user.
resource "materialize_app_password" "production_dashboard" {
name = "production_dashboard_app_password"
# The following fields are new in v0.8.1.
type = "service"
user = materialize_role.production_dashboard.name
roles = ["Member"]
}
# Export the user and password for use in the dashboarding tool.
output "production_dashboard_user" {
value = materialize_role.production_dashboard.name
}
output "production_dashboard_password" {
value = materialize_app_password.production_dashboard.password
}You’ll need to be running v0.8.1 or later of the provider to be able to run the above example.