Managing a Service Account

Best practices around a Gretel service account for configuring a deployment

A Gretel Hybrid deployment still needs to interact with the Gretel API. To make these API calls the deployment will need one user's Gretel API key to be bound to the running deployment. We recommend that you log into Gretel using a "service account" user and create an API key.

A service account user is a non human privileged account that Gretel Hybrid will use to interact with the Gretel API. What's important is that the service account user is not regularly accessed by users to interact with the Gretel API outside of the Gretel Hybrid deployment. Any individual email or mailing group email will work to create a service account as long as the service account email inbox is accessible by the team responsible for deploying Gretel Hybrid.

Creating a Service Account User

  • Follow these instructions: Account Management to create the user using a service account email address associated with your organization's domain.

  • Once the account is created, follow these instructions: Environment Setup to create the API key associated with the service account user.

  • Finally, use the newly generated API key when deploying Gretel Hybrid's helm chart into your Kubernetes cluster. This individual step is covered by each separate cloud provider's deployment guide.

If you need to change which Gretel account is associated with an existing hybrid installation, you can simply generate the API key with the preferred Gretel user, and update the hybrid helm deployment with the new Gretel API key, i.e. reinstall the helm chart using the new API key.

This service account user, when tied to the deployment, is generally termed the "Deployment User."

How Job Polling Works

There are a set of conditions under which a hybrid job will be polled. If your jobs are stuck in created, this is a good place to start with troubleshooting.

To reiterate, the user whose API key is associated with the hybrid deployment is known as the "Deployment User."

A hybrid job started by the Deployment User will always be picked up by that user.

For a Hybrid job to be polled by a deployment where the user is different than the Deployment User:

  • The user that started the Hybrid job must be in the same team as the Deployment User

    • This means the user that started the jobs is either part of an enterprise account or custom team within Gretel that the Deployment User is on

  • Either:

    • The Deployment user has "Administrator" access or higher to the project OR

    • The Deployment user's cluster/environment is associated with the project where the job is scheduled OR

    • If an explicit list of projects is provided on install of the hybrid deployment, those projects will be polled for hybrid jobs

If the right conditions are met, then your job should be picked up by your hybrid deployment.

Last updated