Skip to main content
logoTetrate Service BridgeVersion: 1.7.x

Teams and Users

User represents a user that has been loaded from a configured Identity Provider (IdP) that can log into the platform. Currently, users are automatically synchronized by TSB from a configured LDAP server.

The following example creates a user named john under the organization myorg.

apiVersion: api.tsb.tetrate.io/v2
kind: User
metadata:
name: john
organization: myorg
spec:
loginName: john
firstName: John
lastName: Doe
displayName: John Doe
email: john.doe@acme.com

ServiceAccount can be created to leverage machine authentication via JWT tokens. Each service account has a key-pair that can be used to create signed JWT tokens that can be used to authenticate to TSB.

The following example creates a service account named my-sa under the organization myorg.

apiVersion: api.tsb.tetrate.io/v2
kind: ServiceAccount
metadata:
name: my-sa
organization: myorg
spec:
displayName: My Service Account
description: Service account used for service integrations

Team is a named collection of users, service accounts, and other teams. Teams can be assigned access permissions on various resources. All members of a team inherit the access permissions assigned to the team.

The following example creates a team named org under the organization myorg with all members of product1 and product2 teams, and users alice and bob.

apiVersion: api.tsb.tetrate.io/v2
kind: Team
metadata:
name: org
organization: myorg
spec:
members:
- organizations/myorg/users/alice
- organizations/myorg/users/bob
- organizations/myorg/teams/product1
- organizations/myorg/teams/product2

ServiceAccount

ServiceAccount represents a service account that can be used to access the TSB platform. Service accounts have a set of associated public and private keys that can be used to generate signed JWT tokens that are suitable to authenticate to TSB. A default key-pair is generated on service account creation and the public key is stored in TSB. Private keys are returned when service accounts are created, but TSB will not store them. It is up to the client to store them securely.

FieldDescriptionValidation Rule

description

string
A description of the resource.

keys

List of tetrateio.api.tsb.v2.ServiceAccount.KeyPair
OUTPUT_ONLY
Keys associated with the service account. A default key-pair is automatically created when the Service Account is created. Note that TSB does not store the private keys, so it is up to the client to store the returned private keys securely, as they are only returned once after creation. Additional keys can be added (and deleted) by using the corresponding key management APIs.

KeyPair

Represents key-pair associated to the service account.

FieldDescriptionValidation Rule

id

string
OUTPUT_ONLY
Unique identifier for this key-pair. This should be used as the kid (key id) when generating JWT tokens that are signed with this key-pair.

publicKey

string
OUTPUT_ONLY
The encoded public key associated with the service account. The encoding format is determined by the encoding field.

privateKey

string
OUTPUT_ONLY
The encoded private key associated with the service account. TSB does not store the private key and it is up to the client to store it safely. The encoding format is determined by the encoding field.

encoding

tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding
Format in which the public and private keys are encoded. By default keys are returned in PEM format.

defaultToken

string
OUTPUT_ONLY
A default access token that can be used to authenticate to TSB on behalf of the service account. TSB does not store this token and it is only returned when a service account key is created, similar to the private key. It is up to the client to store the token for future use or to use the TSB CLI to generate new tokens as explained in: https://docs.tetrate.io/service-bridge/latest/en-us/howto/service-accounts

Team

Team is a named collection of users under a tenant.

FieldDescriptionValidation Rule

members

List of string
List of members under the team. The elements of this list are the FQNs of the team members. Team members can be users, service accounts or other teams.

sourceType

tetrateio.api.tsb.v2.SourceType
Where the team comes from. It can be a local team that exists only in TSB (type LOCAL) or it can be a team that has been synchronized from the Identity Provider (for example: type LDAP).

enum = {
  defined_only: true
}

User

User represents a user from the Identity Provider that is allowed to log into the platform.

FieldDescriptionValidation Rule

loginName

string
REQUIRED
The username used in the login credentials.

string = {
  min_len: 1
}

firstName

string
The first name of the user.

lastName

string
The last name of the user, if any.

email

string
Email for the user where alerts and other notifications will be sent.

sourceType

tetrateio.api.tsb.v2.SourceType
Where the user comes from. It can be a local user that exists only in TSB (type LOCAL) or it can be a user that has been synchronized from the Identity Provider (for example: type LDAP).

enum = {
  defined_only: true
}

Encoding

Format in which the keys in this keypair are encoded

FieldNumberDescription

PEM

0

JWK

1

SourceType

SourceType describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane.

FieldNumberDescription

INVALID

0

LDAP

1

LDAP is used for users and teams that are automatically synchronized from LDAP.

LOCAL

2

LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead.

AZURE

3

AZURE is used for users synchronized from an Azure Active Directory.

MANUAL

4

MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.