Native support for service accounts

Creating a service account for each application and service that you connect to Materialize is considered a security best practice. But until now, you've had to provision a real email address for each service account (e.g., infra+production-dashboard@foo.corp) and manually click the link in each activation email. This friction has been one of our most reported issues.

Today, we rolled out native support for service accounts—no email addresses required! 🎉

If you have the Organization Admin role, you can use the App Passwords page in the Materialize Console to create service-type app passwords. You choose the name of the service user at the time you create the app password:

To manage service accounts with code, you can use our Terraform provider to create service accounts. Here's an example of how you might provision a service account and appropriate privileges for a dashboard application using Terraform:

# Create the service user for the dashboard in the aws/us-east-1 region. 
resource "materialize_role" "production_dashboard" { 
 name   = "svc_production_dashboard" 
 region = "aws/us-east-1" 
} 

 
# Allow the dashboard user to use the "production_analytics" database. 
resource "materialize_database_grant" "database_usage" { 
 role_name     = materialize_role.production_dashboard.name 
 privilege     = "USAGE" 
 database_name = "production_analytics" 
 region        = "aws/us-east-1" 
} 

 
# Create an app password for the dashboard user. 
resource "materialize_app_password" "production_dashboard" { 
 name = "production_dashboard_app_password" 
 # The following fields are new in v0.8.1. 
 type = "service" 
 user = materialize_role.production_dashboard.name 
 roles = ["Member"] 
} 

 
# Export the user and password for use in the dashboarding tool. 
output "production_dashboard_user" { 
 value = materialize_role.production_dashboard.name 
} 
output "production_dashboard_password" { 
 value = materialize_app_password.production_dashboard.password 
} 
 hcl

You'll need to be running v0.8.1 or later of the provider to be able to run the above example.

`1`	`# Create the service user for the dashboard in the aws/us-east-1 region.`
`2`	`resource "materialize_role" "production_dashboard" {`
`3`	`name = "svc_production_dashboard"`
`4`	`region = "aws/us-east-1"`
`5`	`}`
`6`
`7`	`# Allow the dashboard user to use the "production_analytics" database.`
`8`	`resource "materialize_database_grant" "database_usage" {`
`9`	`role_name = materialize_role.production_dashboard.name`
`10`	`privilege = "USAGE"`
`11`	`database_name = "production_analytics"`
`12`	`region = "aws/us-east-1"`
`13`	`}`
`14`
`15`	`# Create an app password for the dashboard user.`
`16`	`resource "materialize_app_password" "production_dashboard" {`
`17`	`name = "production_dashboard_app_password"`
`18`	`# The following fields are new in v0.8.1.`
`19`	`type = "service"`
`20`	`user = materialize_role.production_dashboard.name`
`21`	`roles = ["Member"]`
`22`	`}`
`23`
`24`	`# Export the user and password for use in the dashboarding tool.`
`25`	`output "production_dashboard_user" {`
`26`	`value = materialize_role.production_dashboard.name`
`27`	`}`
`28`	`output "production_dashboard_password" {`
`29`	`value = materialize_app_password.production_dashboard.password`
`30`	`}`