Skip to main content
Service account secrets are credentials owned by a service account. Services and managed agents should run as that service account with container.run_as or agent run_as.

CLI

Use --subject with the service account email, id, key, or name:
bash
meshagent secret list --subject agent@service.example.meshagent.dev
meshagent secret create registry-token \
  --subject agent@service.example.meshagent.dev \
  --type opaque \
  --value "$TOKEN"

Roles

Service-account secret operations are protected by service-account roles:
  • secret_list permits listing and searching secrets.
  • secret_accessor permits direct retrieval when the secret is not http_only.
  • secret_manager permits create, update, version, delete, metadata, annotation, and pull-secret management.
  • use_proxy_secrets permits proxy use when the per-secret use_proxy grant also allows it.
  • run_service_as permits configuring a service or managed agent to run as the service account.
Project admins inherit service-account secret management access through the project model.

Pull Secrets

Image pull credentials attach to service accounts:
bash
meshagent secret add-pull-secret secret-123 \
  --project-id "$MESHAGENT_PROJECT_ID" \
  --subject builder@service.example.meshagent.dev
When a service runs as that service account, MeshAgent uses the account’s pull secrets while pulling private images.