cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
freshstarter
Quartz | Level 8 freshstarter
Quartz | Level 8

SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

Posted 4 weeks ago (504 views)

Hello All,

 

This is regarding our implementation of a Group Managed Service Account (gMSA) in our latest SAS Viya environment.

 

We have created a service account in Entra and provisioned it to SAS via SCIM for scheduling purposes. Based on this, we are planning to use a gMSA-style approach where a group of users from our OPS team can schedule jobs using this service account.

Current setup:

  1. Created a service account and added it to a custom group: “Service Account User for Schedule”
  2. Created an Entra ID group: OPS_Schedule_Team and added relevant members  and then provisioned to SAS
  3. Logged in via CLI using the service account and executed the following commands to create the authentication domain and store credentials:
sas-viya credentials domains create --domain-id Scheduling_OPS_TokenAuth --type oauth2.0

sas-viya credentials groups create --domain-id Scheduling_OPS_TokenAuth --identity-id OPS_Schedule_Team --allowed-client sas.scheduler --allowed-client sas.jobExecution --allowed-client sas.jobFlowScheduling

 

  • The domain was created successfully, and I can see an entry in the credentials store for this authentication domain with identity as OPS_Schedule_Team
  • In SAS Environment Manager, users in the OPS team are able to select the service account under the “Run as” option when scheduling jobs. Everything is working as expected so far.

Going forward, we will not be logging in interactively using the service account. Instead, OPS team members will schedule jobs using it via the gMSA approach.

 

My question is regarding the refresh token lifecycle:

 

  • Since we are not logging in interactively with the service account, will scheduled jobs continue to run only until the refresh token remains valid? Is this understanding correct?
  • If the refresh token expires, what is the recommended way to automate token renewal for the service account without manual intervention?
  • I came across this document:https://communities.sas.com/t5/SAS-Communities-Library/SAS-Viya-2023-07-Run-As-Authentication-Update... It mentions a scheduled job for automatic token rotation, but it appears to apply only up to the 2023.11 release. We are currently on the 2026.03 release—has this approach changed in newer versions?

Additional clarification:

If we do not use the gMSA approach and instead log in interactively with the service account to schedule jobs, would we face the same issue? For example, if a job is scheduled daily and no one logs in again for an extended period, will the job continue to run only until the refresh token expires?

 

Any clarification or best practices around this setup would be greatly appreciated. Thanks in advance.

 

0 Likes
Reply
5 REPLIES 5
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

Posted 3 weeks ago (368 views)  |   In reply to freshstarter
Both the scheduler service and credentials service maintain the validity of their stored refresh tokens by acquiring new ones periodically, so in either case you should not need to take any action and the functionality to schedule new jobs using a group-managed service account and the running of existing jobs should continue indefinitely.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
freshstarter
Quartz | Level 8 freshstarter
Quartz | Level 8

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

Posted 3 weeks ago (361 views)  |   In reply to gwootton

Thanks @gwootton for your response.

 

Is there any way to check whether new tokens are being acquired and refreshed internally?

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

Posted 3 weeks ago (354 views)  |   In reply to freshstarter
On the credentials service, you could set the logger com.sas.credentials.OAuthAccessTokenManager to debug to see messages related to this process.

On the scheduler service you'll see messages by default at the info level when it attempts to get a new refresh token. You could set com.sas.scheduling.persistence.RefreshTokenScheduler to debug to see messages related to it checking to see if it needs to refresh the tokens.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
freshstarter
Quartz | Level 8 freshstarter
Quartz | Level 8

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

Posted 3 weeks ago (320 views)  |   In reply to gwootton

Thanks you.

 

But I don't think auto token refresh is happening and stored internally on credentials service.

 

I have created a domain last week for gMSA purpose but when I tried to execute the job today using Run as feature via gMSA, I'm getting this failure.

 

 

Failed to obtain a valid credential. Contact your system administrator to check the status of the credential in the domain Scheduling_OPS_TokenAuth.

path: /scheduler/jobs

 
0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

Posted 3 weeks ago (312 views)  |   In reply to freshstarter
Refresh tokens by default are valid for 14 days (https://go.documentation.sas.com/doc/en/sasadmincdc/v_075/calconfigref/p1tat3guv9i2g5n1kktrzbprntog....), so even if the token wasn't refreshing it would still be valid. You may want to look in the logs for credentials and scheduler services for more details on the failure, or engage SAS Technical Support.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

Learn how to explore data assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 5 replies
  • 4 weeks ago
  • 505 views
  • 0 likes
  • 2 in conversation