Service Accounts for SAS Compute Server contexts in SAS Viya enables all sessions launched for a specific context to run as the same service account. With SAS Viya 2022.1.4 this feature is now supported with environments configured with a SCIM Identity Provider. Previously, the service account had to be specified with a username and password, which had to be valid with SAS Logon Manager. This meant, this feature would not work when LDAP is disabled. With SAS Viya 2022.1.4 the service account can now be specified with a token. The stored Refresh Token is then used to launch the SAS Compute Server sessions for the given SAS Compute Server context. In this blog we will examine the configuration of Token credentials for the SAS Compute Server service account.
Why Use a Service Account?
By default, the SAS Compute Server runs under the credentials of the user that requests the session. However, in some cases, you might not want the server to run under the end-user’s credentials:
- The user does not have an account on the server.
- The administrator wants all users who access the context to run under a shared account.
- The administrator wants to enable reusable servers.
As such, you can configure the Compute Context to allow launched servers to run under a service account. Remember the service account has no impact on the user running the SAS Cloud Analytic Services session. If you want to use the same shared account for both the SAS Compute Server and SAS Cloud Analytic Services sessions, then you should look at shared accounts rather than a SAS Compute Server service account.
Store Token for Service Account
To be able to store the Refresh Token you must be able to authenticate to your SAS Viya environment with the service account, this will be using OpenID Connect or SAML since your environment is configured for a SCIM Identity provider. In addition, the service account must be added to a specific custom group. The custom group ComputeServiceAccountUsers is automatically created for you. The ComputeServiceAccountUsers has authorization rules defined that allow members to manage client credentials for sas.compute in the domains they created. Specifically, these authorization rules are:
| Object URI |
Setting |
Permission |
| /credentials/domains/* |
Grant |
Update |
| /credentials/domains/* |
Grant for creator |
Delete |
| /credentials/domains/*/clients/sas.compute |
Grant for creator |
Delete, Read, Update |
You can either use SAS Environment Manager or the SAS Viya CLI to add the service account to the ComputeServiceAccountUsers custom group. If you are using SAS Environment Manager, then the display name for the custom group is "Service Account Users for Compute". For example, to add a service account svcaccnt1@customer.com to the custom group using the SAS Viya CLI you can use the following commands:
sas-viya auth loginCode
sas-viya identities add-member --group-id ComputeServiceAccountUsers --user-member-id svcaccnt1@customer.com
sas-viya auth logout
Where you will need to authenticate as a member of SAS Administrators.
Once you have added the service account to the custom group you can then use the SAS Viya CLI to store the Refresh Token in a new Token Authentication domain. The SAS Viya CLI will automatically create the Token Authentication domain and secure it so that only the client sas.compute, i.e. the SAS Launcher and SAS Compute client is able to access the credential. First you will need to authenticate as the service account to the SAS Viya CLI using the loginCode option:
sas-viya auth loginCode
This will prompt you to open a URL in a browser and complete the login process. Once you have logged in as the service account e.g. svcaccnt1@customer.com, the browser will display an Authorization Code that the SAS Viya CLI will use to obtain the Access Token and Refresh Token for the service account.
sas-viya compute credentials create --domain-type oauth2.0
You should see something like the following:
2022/08/30 05:08:50 The shared service account credential for svcaccnt1@customer.com was created successfully.
You can then logout from the SAS Viya CLI with the following:
sas-viya auth logout
The SAS Viya CLI can also be used to confirm that the Token Authentication domain exists with the following command:
sas-viya credentials domains list |jq '.items[]|select (IN(.[];"svcaccnt1@customer.com"))'
This will display information about the newly created Token Authentication domain so long as you have authenticated as a member of SAS Administrators first.
Setup SAS Compute Server Context
Now that the service account has been added to the ComputeServiceAccountUsers custom group and the Refresh Token stored the SAS Compute Context can be updated to leverage the service account. You can either edit an existing SAS Compute Context or create a new one. You need to create an attribute with a name of runServerAs and the value equal to the service account user ID. The SAS Compute Context can be edited or created in either SAS Environment Manager or by using the SAS Viya CLI. For example, to create a new SAS Compute Context with the SAS Viya CLI you can use the following commands:
sas-viya auth loginCode
sas-viya compute contexts create -d '{
"name": "SAS Studio Launch Credential",
"version": 1,
"description": "SAS Studio Launch Credential",
"attributes": {
"runServerAs": "svcaccnt1@customer.com"
},
"launchContext": {
"contextName": "SAS Studio launcher context"
},
"launchType": "service",
"authorizeAllAuthenticatedUsers": true
}'
sas-viya auth logout
This will create a new SAS Compute Context called "SAS Studio Launch Credential" that is available to any authenticated user, since authorizeAllAuthenticatedUsers is set to true for this context. Anyone of your end-users would be able to select this context in SAS Studio and have their session launch using the service account. If you want to test in SAS Studio who the SAS Compute Server session is running as you can use the following SAS Code:
%put &_CLIENTUSERID;
%put &_CLIENTUSERNAME;
%put &SYSUSERID;
The two _CLIENT#### macro environment variables will reflect the end-user who has authenticated, while the &SYSUSERID macro variable will be the service account running the process.
Token Expiry
The Refresh Token that has been stored for a shared account will be automatically refreshed each time it is used. This means that so long as the shared account is used at least once before the Refresh Token expires there is no need to manually replace the token. The default lifetime of the Refresh Token is 90 days.
Conclusion
Enabling SAS Compute Server service accounts is a key part of enabling reusable servers and possibly a pool of reusable servers which can be useful to limit the initial wait for a SAS Compute Server session to be launched. With these additional options configured new tasks are rapidly routed to an idle SAS Compute Server with minimal wait time. Prior to SAS Viya 2022.1.4, this was not available for environments configured with a SCIM Identity Provider since the service account had to use a username and password. What we have shown above is that the changes available with SAS Viya 2022.1.4 extend the use of service accounts, reusable servers, and pools of reusable servers to environments configured for SCIM.
