Service accounts are user accounts that an application or service uses to authenticate to GitHub. Unlike a normal user account, service accounts are not associated with an individual person, but otherwise function just like a user account. Service accounts are very useful for automated systems where actions are performed by computers rather than humans.
Setting up a Service Account
The NC State GitHub instance utilizes the campus Active Directory service as its authentication provider; therefore, in order to log in to GitHub an account must exist in AD. AD OU Admins can create service accounts within their OU, so work with your unit’s OU Admin to create the account in AD. According to the NC State Active Directory Service Team, all service accounts should follow the following naming convention: <DEPT>.<SERVICENAME>.svc
Once the account has been created in AD, please send an email to email@example.com requesting the account be granted access to the NC State GitHub instance. The account must be added to an access group in AD by the GitHub Service Team before it will be able to successfully log in to GitHub.
After the account has been added to the access group, you can log in to GitHub using the service account’s username and password to create the account in GitHub. The account will not exist until the service account has logged in for the first time.
Service Account Best Practices
- Give your service account a meaningful name that represents its purpose
- Enable two-factor for the account in GitHub to further secure the account
- Utilize the SSH protocol when interacting with GitHub, and use SSH keys instead of passwords
- Rotate the account password and SSH keys every once in a while
- Be mindful of rate limiting when configuring automation to talk to GitHub
- Give the account the least amount of access required to do the job