We're increasingly automating access to our Posit/RStudio Connect
- continuous integration/build/deployment which deploys apps, reports and apis to Connect
- services which call plumber APIs to read data and charts
We have so far been connecting these automated clients using ApiKeys which are setup in normal user accounts (which are all connected to our domain using SAML to Azure Active Directory)
This works... but it means that for example published apps are connected to my user, and published APIs are accessed but my user... this leads to some inaccurate permission provisioning, and it will definitely become a problem if ever my account gets locked (e.g. if/when I leave).
To work around this, I've been looking at adding some kind of "service accounts" (e.g. called "Ms Build Pipeline" or "Mister Report Generator") to Connect - so that I can then create API Keys within their accounts - and can use those API Keys for accessing Connect.
My questions about this approach:
- Is this the recommended sort of approach?
- Is there any way to avoid these service accounts using up genuine slots on our license?
- Is there any way to add these service accounts (and get API keys for them) just within Connect (e.g. using the
usermanagerCLI tool) without adding them to our domain and to our Azure AD based SAML auth system? (I'm not sure if this is possible - can Connect operate "local RStudio" accounts in addition to those that are specified from SAML?)
Sorry if this is a bit confused/confusing... still trying to work out myself exactly what we want...