How Service Accounts Work

The purpose of Service Accounts

Service Accounts in Twingate are used to secure communications between remote machines. Because Service Accounts are used by machines to establish connections to Resources, Service Accounts cannot interact with Twingate Clients in the same way that humans would, and therefore those accounts differ from non-Service Accounts in several ways:

  • Service Accounts cannot fulfill 2FA requirements
  • Service Accounts cannot use standard credentials (such as a social login or identity provider account)
  • Service Accounts leverage the Twingate Client in a non-interactive way called headless mode

Let’s explore common use cases for Service Accounts.

Secure communication between SaaS and private Resources

Our customers often rely on both self-hosted components (on-premises or in a private cloud) and SaaS applications such as GitHub, CircleCI and others. In those cases, the SaaS applications require access to private infrastructure components (such as K8s clusters, virtual machines, etc.). Service Accounts combined with the Twingate Client (in headless mode) are used to securely connect your SaaS applications to your private Twingate Resources.

Take a look at our practical guides on this topic:

Secure communication between two private Resources across different sites

Apart from SaaS applications like GitHub and CircleCI, Service Accounts can also be used to secure connections across private remote systems hosted in different sites. The best approach for this use case is to deploy the Twingate Client in headless mode on the system which requires connectivity to private and remote Twingate Resources.

Secure communication between a pool of devices and private Resources

If the Twingate Client (in headless mode) cannot be deployed directly on the system which requires connectivity to remote and private Resources (for instance, if the system hosts an operating system that is incompatible with the Twingate Client), we recommend the following:

  • Set up a separate virtual machine with a Twingate Client in headless mode. This virtual machine will act as a gateway for traffic coming from unsupported systems.
  • Enable IP forwarding on the gateway virtual machine
  • Set a route on a layer 3 switch or router to point all traffic through the virtual machine gateway

Last updated 4 months ago