diff --git a/source/security/ad-ldap-external-identity-management/external-authentication-with-ad-ldap-identity-provider.rst b/source/security/ad-ldap-external-identity-management/external-authentication-with-ad-ldap-identity-provider.rst index f2dad3c4..3466a8c1 100644 --- a/source/security/ad-ldap-external-identity-management/external-authentication-with-ad-ldap-identity-provider.rst +++ b/source/security/ad-ldap-external-identity-management/external-authentication-with-ad-ldap-identity-provider.rst @@ -70,12 +70,11 @@ MinIO provides an example Go application :minio-git:`ldap.go ` that handles the full login flow. -As an alternative to implementing this application flow, application owners can -log into the :minio-git:`MinIO Console ` using their external -user credentials and create :ref:`service accounts ` -for their applications. Service accounts are long-lived credentials which -inherit their privileges from the parent user. The parent user can further -restrict those privileges while creating the service account. +AD/LDAP users can alternatively create :ref:`service accounts ` associated to their AD/LDAP user Distinguished Name. Service accounts are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. Use either of the following methods to create a new service account + +- Log into the :ref:`MinIO Console ` using the AD/LDAP-managed user credentials. From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Service Accounts` followed by the :guilabel:`Create service account +` button. + +- Use the :mc-cmd:`mc admin user svcacct add` command to create the service account. Specify the user Distinguished Name as the username to which to associate the service account. Querying the Active Directory / LDAP Service -------------------------------------------- diff --git a/source/security/minio-identity-management/user-management.rst b/source/security/minio-identity-management/user-management.rst index 8c50f729..c574ce5b 100644 --- a/source/security/minio-identity-management/user-management.rst +++ b/source/security/minio-identity-management/user-management.rst @@ -62,11 +62,7 @@ service accounts have the same or fewer permissions as the parents, administrators can focus on managing the top-level parent users without micro-managing generated service accounts. -Service accounts creation and management is only available through the -:minio-git:`MinIO Console `. After logging into the Console, click -:guilabel:`Account` from the left navigation to view all service accounts -associated to the authenticated user. Click :guilabel:`Create Service Account` -to create new service accounts. +You can create service accounts using either the :ref:`MinIO Console ` *or* by using the :mc-cmd:`mc admin user svcacct add` command. .. admonition:: Service Accounts are for Programmatic Access :class: dropdown, note diff --git a/source/security/openid-external-identity-management/external-authentication-with-openid-identity-provider.rst b/source/security/openid-external-identity-management/external-authentication-with-openid-identity-provider.rst index e7bb1694..1ff468e6 100644 --- a/source/security/openid-external-identity-management/external-authentication-with-openid-identity-provider.rst +++ b/source/security/openid-external-identity-management/external-authentication-with-openid-identity-provider.rst @@ -80,12 +80,7 @@ MinIO provides an example Go application :minio-git:`web-identity.go ` that handles the full login flow. -As an alternative to implementing this application flow, application owners can -log into the :minio-git:`MinIO Console ` using their external -user credentials and create :ref:`service accounts ` -for their applications. Service accounts are long-lived credentials which -inherit their privileges from the parent user. The parent user can further -restrict those privileges while creating the service account. +OIDC users can alternatively create :ref:`service accounts ` associated to their AD/LDAP user. Service accounts are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. To create a new service account, log into the :ref:`MinIO Console ` using the OIDC-managed user credentials. From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Service Accounts` followed by the :guilabel:`Create service account +` button. .. _minio-external-identity-management-openid-access-control: