SCDF service account usage #6113
Description
Problem description:
Currently, when launching a task in Spring Cloud Data Flow (SCDF), the service account must be provided at each task execution or configured at the platform level in SCDF. Therefore, all tasks launched in a platform and all subtasks in a composed task are executed with the same service account. This approach requires significant manual effort, especially when managing multiple tasks. A more efficient way to associate a service account with an application is needed to streamline deployment and execution, and to be able to separate the service accounts of applications from a security perspective.
Solution description:
A potential solution is to allow specifying the service account during the application registration process in SCDF. This could be achieved by extending the SCDF DSL to support a --serviceaccount parameter, as illustrated below:
app register APP_NAME --type task --uri docker://... --serviceaccount MYSERVICEACCOUNT
This approach would ensure that the service account is automatically associated with the application upon execution, reducing manual configuration effort and allowing a different service account to be set per application rather than per task.
Description of alternatives:
- Continue with the current approach of manually specifying the service account at each task execution, which is inefficient, error prone and inflexible.
- Configure the service account per task at the SCDF platform level, which requires significant manual effort and is not scalable.
- Introduce a mechanism where service accounts can be dynamically assigned using deployer properties, providing a more flexible alternative without compromising platform neutrality.
Additional context:
- This feature would improve usability and reduce the operational burden of managing service accounts in the SCDF.
- With separate service accounts per application, it would be possible to assign different permissions and roles to different applications.