Use service users for continuous deployment

An infrastructure that uses continuous deployment automation often requires SSH to deploy software or to perform tasks. Generally, this kind of automation runs SSH using a local user account on a continuous integration/continuous deployment (CI/CD) server that's dedicated to this purpose. For example, automated Jenkins jobs might be run as the 'jenkins' user on a Linux server. With Advanced Server Access, you can create service users to automate deployment to your target servers.

Before you begin

You must install the Advanced Server Access client on the host whose unmanaged user the service user is tied to.

Note: The server can be any Linux host. The server can't be a Windows or FreeBSD host. See Install the Advanced Server Access client.

Grant a group access to the host that contains the service user account.

Create a service user for continuous deployment

  1. Navigate to the Users page for your team.

  2. Select the Service Users tab.

  3. Click Create Service User. The Create Service User page appears.

  4. Enter a username for the service user. The system automatically creates corresponding Linux and Windows usernames. Click Create Service User to finish creating the service user.

  5. Click Create API Key. The API Key Secret Rotated screen appears.

  6. Copy and store your API key ID and your API key secret from this screen.

    Caution: These values only appear on this screen. You can't recover your API key secret, so copy and store it safely.

Create a service for a project

  1. Click Projects on your team's Advanced Server Access dashboard. The Projects page appears.
  2. Click the project that contains the server that runs the service to assign to the service user.
  3. Select the Servers tab.
  4. Choose the server on which to use the service user.
  5. Select the Services tab. Click Add Service.
  6. Select the service user that you created from the Service User drop-down box. Enter the UID of an unmanaged user in the UID field.

    Note: To find the UID of a user, use the ls /home command to list the users on the server, then use the id <user> command to find the UID of a specific user.

Add the service user to a group

  1. Click Groups on the Advanced Server Access dashboard.
  2. Select a group that belongs to the project that contains the server that the service user will be deployed to.
  3. Select the Users tab.
  4. Enter the username of the service user that you created. Click Add User.

Enable service user authentication

Ensure that you've installed the Advanced Server Access client on the server that's tied to the service user that you created. By installing the client and enabling authentication for service users, the service user's credentials can be used to perform tasks.

Note: The Advanced Server Access server agent must be installed and running on the server.

  1. Connect to the server for the service user:

    ssh <target-server>

  2. Switch to the unmanaged user that's tied to the Advanced Server Access service user:
  3. su - <unmanaged-user>

  4. Enable service user authentication:

    sft config service_auth.enable true

  5. Update your SSH configuration:

    sft ssh-config >> ~/.ssh/config

    Note: Don't forget to change the command if your SSH configuration file is in a different directory.