docs: explain SA name restrictions kestra-io/kestra-ee#1992

kestra-io · Oct 22, 2024 · ec07b01 · ec07b01
1 parent f39e677
commit ec07b01
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/content/docs/06.enterprise/service-accounts.md b/content/docs/06.enterprise/service-accounts.md
@@ -68,3 +68,19 @@ Speaking of CI/CD, note that currently Kestra supports authenticating with both
 --server=https://demo.kestra.io [email protected]:password42
 ```
 
+## Service Account Name Convention
+
+When creating a new service account, make sure to follow the DNS naming convention. Specifically, the `name` property needs to:
+- contain at most 63 characters
+- contain only lowercase alphanumeric characters or hyphens (i.e. the `-` character)
+- start with an alphanumeric character
+- end with an alphanumeric character.
+
+Some examples to make that clear:
+- ✅ `my-service-account` is a valid name
+- ✅ `my-service-account-1` is a valid name
+- ❌ `MY_SERVICE_ACCOUNT` is not a valid name because it contains uppercase characters and underscores
+- ❌ `myServiceAccount` is not a valid name because it contains uppercase characters and camel case
+- ❌ `my-service-account-` is not a valid name because it ends with a hyphen.
+
+**Why do we follow such a restrictive convention?** We follow the standard DNS-tyle pattern to be ready for potential future use cases where we could e.g. forward the service account name to a Kubernetes pod's labels. This way, we ensure that the service account name can be used in a variety of contexts without any issues.