rename: machine accounts → service accounts in config (#586)

## Summary

- Renames all Role objects from `iam-machine-accounts-*` /
`identity-machine-account-keys-*` to `iam-service-accounts-*` /
`identity-service-account-keys-*`
- Updates permissions in roles from `machineaccounts.*` /
`machineaccountkeys.*` to `serviceaccounts.*` / `serviceaccountkeys.*`
- Updates `iam-editor` and `iam-viewer` aggregate roles to reference
`serviceaccounts` permissions
- Renames ProtectedResource objects (`iam.miloapis.com-machineaccount` →
`iam.miloapis.com-serviceaccount`, etc.)
- Renames resource-metrics config files and updates metric name prefixes
(`milo_machine_accounts` → `milo_service_accounts`)
- Updates audit policy configmap to audit `serviceaccountkeys` instead
of `machineaccountkeys`
- Updates activity policy for the renamed `ServiceAccount` resource kind
- Updates apiserver deployment flag names to
`--serviceaccountkeys-provider-*`

Without this PR, users get a 403 when trying to list/create service
accounts because the RBAC permission
`iam.miloapis.com/serviceaccounts.list` doesn't exist yet — only
`machineaccounts.list` was defined.

## Test plan

- [ ] Verify users with `iam-viewer` or `iam-editor` role can list
service accounts after milo picks up these config changes
- [ ] Verify service account keys can be created/listed/deleted
- [ ] Confirm old `iam-machine-accounts-*` roles are deleted from the
cluster (or coexist during transition)

Author: kevwilliams

config/roles/iam-editor.yaml

@@ -22,10 +22,10 @@ spec:
     - iam.miloapis.com/userinvitations.update
     - iam.miloapis.com/userinvitations.patch
     - iam.miloapis.com/userinvitations.delete
-    - iam.miloapis.com/machineaccounts.create
-    - iam.miloapis.com/machineaccounts.update
-    - iam.miloapis.com/machineaccounts.patch
-    - iam.miloapis.com/machineaccounts.delete
+    - iam.miloapis.com/serviceaccounts.create
+    - iam.miloapis.com/serviceaccounts.update
+    - iam.miloapis.com/serviceaccounts.patch
+    - iam.miloapis.com/serviceaccounts.delete
     - iam.miloapis.com/policybindings.create
     - iam.miloapis.com/policybindings.update
     - iam.miloapis.com/policybindings.patch

config/roles/iam-viewer.yaml

@@ -24,9 +24,9 @@ spec:
     - iam.miloapis.com/userinvitations.get
     - iam.miloapis.com/userinvitations.list
     - iam.miloapis.com/userinvitations.watch
-    - iam.miloapis.com/machineaccounts.get
-    - iam.miloapis.com/machineaccounts.list
-    - iam.miloapis.com/machineaccounts.watch
+    - iam.miloapis.com/serviceaccounts.get
+    - iam.miloapis.com/serviceaccounts.list
+    - iam.miloapis.com/serviceaccounts.watch
     - iam.miloapis.com/protectedresources.get
     - iam.miloapis.com/protectedresources.list
     - iam.miloapis.com/protectedresources.watch

config/services/identity/policies/kustomization.yaml

@@ -4,4 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
 resources:
-  - machineaccount-policy.yaml
+  - serviceaccount-policy.yaml

…tity/policies/machineaccount-policy.yaml …tity/policies/serviceaccount-policy.yamlconfig/services/identity/policies/machineaccount-policy.yaml renamed to config/services/identity/policies/serviceaccount-policy.yaml config/services/identity/policies/machineaccount-policy.yaml renamed to config/services/identity/policies/serviceaccount-policy.yaml

@@ -1,23 +1,23 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
-# ActivityPolicy for MachineAccount resources.
-# Defines how MachineAccount API operations appear in activity timelines.
+# ActivityPolicy for ServiceAccount resources.
+# Defines how ServiceAccount API operations appear in activity timelines.
 #
 # Audit rules handle CRUD operations captured by the Kubernetes API server audit log.
 # No eventRules — the controller sets conditions but does not emit Kubernetes Events.
 #
 # Design principles:
-# - Use the machine account name as display text
-# - Action-oriented language ("created machine account", "deactivated machine account")
+# - Use the service account name as display text
+# - Action-oriented language ("created service account", "deactivated service account")
 # - State-specific rules (deactivate/activate) are evaluated before the generic update rule
 apiVersion: activity.miloapis.com/v1alpha1
 kind: ActivityPolicy
 metadata:
-  name: iam.miloapis.com-machineaccount
+  name: iam.miloapis.com-serviceaccount
 spec:
   resource:
     apiGroup: iam.miloapis.com
-    kind: MachineAccount
+    kind: ServiceAccount
 
   # Audit log rules for CRUD operations.
   # These are automatically captured by the API server and don't require controller code.
@@ -26,20 +26,20 @@ spec:
   auditRules:
     - name: create
       match: "!audit.user.username.startsWith('system:') && audit.verb == 'create'"
-      summary: "{{ actor }} created machine account {{ link(audit.objectRef.name, audit.objectRef) }}"
+      summary: "{{ actor }} created service account {{ link(audit.objectRef.name, audit.objectRef) }}"
 
     - name: delete
       match: "!audit.user.username.startsWith('system:') && audit.verb == 'delete'"
-      summary: "{{ actor }} deleted machine account {{ audit.objectRef.name }}"
+      summary: "{{ actor }} deleted service account {{ audit.objectRef.name }}"
 
     - name: deactivate
       match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource) && has(audit.requestObject.spec) && has(audit.requestObject.spec.state) && audit.requestObject.spec.state == 'Inactive'"
-      summary: "{{ actor }} deactivated machine account {{ link(audit.objectRef.name, audit.objectRef) }}"
+      summary: "{{ actor }} deactivated service account {{ link(audit.objectRef.name, audit.objectRef) }}"
 
     - name: activate
       match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource) && has(audit.requestObject.spec) && has(audit.requestObject.spec.state) && audit.requestObject.spec.state == 'Active'"
-      summary: "{{ actor }} reactivated machine account {{ link(audit.objectRef.name, audit.objectRef) }}"
+      summary: "{{ actor }} reactivated service account {{ link(audit.objectRef.name, audit.objectRef) }}"
 
     - name: update
       match: "!audit.user.username.startsWith('system:') && audit.verb in ['update', 'patch'] && !has(audit.objectRef.subresource)"
-      summary: "{{ actor }} updated machine account {{ link(audit.objectRef.name, audit.objectRef) }}"
+      summary: "{{ actor }} updated service account {{ link(audit.objectRef.name, audit.objectRef) }}"

docs/api/iam.md

@@ -12,7 +12,7 @@ Resource Types:
 
 - [Group](#group)
 
-- [MachineAccount](#machineaccount)
+- [ServiceAccount](#serviceaccount)
 
 - [PlatformAccessApproval](#platformaccessapproval)
 
@@ -45,6 +45,7 @@ Resource Types:
 
 
 
+
 GroupMembership is the Schema for the groupmemberships API
 
 <table>
@@ -301,6 +302,7 @@ with respect to the current state of the instance.<br/>
 
 
 
+
 Group is the Schema for the groups API
 
 <table>
@@ -443,15 +445,16 @@ with respect to the current state of the instance.<br/>
       </tr></tbody>
 </table>
 
-## MachineAccount
+## ServiceAccount
 <sup><sup>[↩ Parent](#iammiloapiscomv1alpha1 )</sup></sup>
 
 
 
 
 
 
-MachineAccount is the Schema for the machine accounts API
+
+ServiceAccount is the Schema for the service accounts API
 
 <table>
     <thead>
@@ -471,7 +474,7 @@ MachineAccount is the Schema for the machine accounts API
       <tr>
       <td><b>kind</b></td>
       <td>string</td>
-      <td>MachineAccount</td>
+      <td>ServiceAccount</td>
       <td>true</td>
       </tr>
       <tr>
@@ -480,29 +483,29 @@ MachineAccount is the Schema for the machine accounts API
       <td>Refer to the Kubernetes API documentation for the fields of the `metadata` field.</td>
       <td>true</td>
       </tr><tr>
-        <td><b><a href="#machineaccountspec">spec</a></b></td>
+        <td><b><a href="#serviceaccountspec">spec</a></b></td>
         <td>object</td>
         <td>
-          MachineAccountSpec defines the desired state of MachineAccount<br/>
+          ServiceAccountSpec defines the desired state of ServiceAccount<br/>
         </td>
         <td>false</td>
       </tr><tr>
-        <td><b><a href="#machineaccountstatus">status</a></b></td>
+        <td><b><a href="#serviceaccountstatus">status</a></b></td>
         <td>object</td>
         <td>
-          MachineAccountStatus defines the observed state of MachineAccount<br/>
+          ServiceAccountStatus defines the observed state of ServiceAccount<br/>
         </td>
         <td>false</td>
       </tr></tbody>
 </table>
 
 
-### MachineAccount.spec
-<sup><sup>[↩ Parent](#machineaccount)</sup></sup>
+### ServiceAccount.spec
+<sup><sup>[↩ Parent](#serviceaccount)</sup></sup>
 
 
 
-MachineAccountSpec defines the desired state of MachineAccount
+ServiceAccountSpec defines the desired state of ServiceAccount
 
 <table>
     <thead>
@@ -517,10 +520,10 @@ MachineAccountSpec defines the desired state of MachineAccount
         <td><b>state</b></td>
         <td>enum</td>
         <td>
-          The state of the machine account. This state can be safely changed as needed.
+          The state of the service account. This state can be safely changed as needed.
 States:
-  - Active: The machine account can be used to authenticate.
-  - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions.<br/>
+  - Active: The service account can be used to authenticate.
+  - Inactive: The service account is prohibited to be used to authenticate, and revokes all existing sessions.<br/>
           <br/>
             <i>Enum</i>: Active, Inactive<br/>
             <i>Default</i>: Active<br/>
@@ -530,12 +533,12 @@ States:
 </table>
 
 
-### MachineAccount.status
-<sup><sup>[↩ Parent](#machineaccount)</sup></sup>
+### ServiceAccount.status
+<sup><sup>[↩ Parent](#serviceaccount)</sup></sup>
 
 
 
-MachineAccountStatus defines the observed state of MachineAccount
+ServiceAccountStatus defines the observed state of ServiceAccount
 
 <table>
     <thead>
@@ -547,25 +550,25 @@ MachineAccountStatus defines the observed state of MachineAccount
         </tr>
     </thead>
     <tbody><tr>
-        <td><b><a href="#machineaccountstatusconditionsindex">conditions</a></b></td>
+        <td><b><a href="#serviceaccountstatusconditionsindex">conditions</a></b></td>
         <td>[]object</td>
         <td>
-          Conditions provide conditions that represent the current status of the MachineAccount.<br/>
+          Conditions provide conditions that represent the current status of the ServiceAccount.<br/>
         </td>
         <td>false</td>
       </tr><tr>
         <td><b>email</b></td>
         <td>string</td>
         <td>
-          The computed email of the machine account following the pattern:
+          The computed email of the service account following the pattern:
 {metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix}<br/>
         </td>
         <td>false</td>
       </tr><tr>
         <td><b>state</b></td>
         <td>enum</td>
         <td>
-          State represents the current activation state of the machine account from the auth provider.
+          State represents the current activation state of the service account from the auth provider.
 This field tracks the state from the previous generation and is updated when state changes
 are successfully propagated to the auth provider. It helps optimize performance by only
 updating the auth provider when a state change is detected.<br/>
@@ -577,8 +580,8 @@ updating the auth provider when a state change is detected.<br/>
 </table>
 
 
-### MachineAccount.status.conditions[index]
-<sup><sup>[↩ Parent](#machineaccountstatus)</sup></sup>
+### ServiceAccount.status.conditions[index]
+<sup><sup>[↩ Parent](#serviceaccountstatus)</sup></sup>
 
 
 

docs/api/identity.md

@@ -12,7 +12,7 @@ Package v1alpha1 contains API types for identity-related resources.
 
 - [UserIdentity](#useridentity)
 - [Session](#session)
-- [MachineAccountKey](#machineaccountkey)
+- [ServiceAccountKey](#serviceaccountkey)
 
 ---
 
@@ -77,33 +77,33 @@ This resource provides information about user authentication sessions, including
 
 ---
 
-### MachineAccountKey
+### ServiceAccountKey
 
-MachineAccountKey represents a credential for a MachineAccount.
+ServiceAccountKey represents a credential for a ServiceAccount.
 
-This resource allows users to manage API keys for machine-to-machine authentication. When a MachineAccountKey is created, the system generates a private key that is returned in the status only once.
+This resource allows users to manage API keys for machine-to-machine authentication. When a ServiceAccountKey is created, the system generates a private key that is returned in the status only once.
 
 **Use cases:**
 
 - Authenticating external services and automation scripts
 - Managing key rotation and expiration
-- Auditing machine account activity
+- Auditing service account activity
 
 **Important notes:**
 
 - The `privateKey` is ONLY available in the creation response and is NEVER persisted in the Milo API server.
 - Keys can have an optional expiration date.
-- Each key is associated with a specific `MachineAccount` identified by its email.
+- Each key is associated with a specific `ServiceAccount` identified by its email.
 
-#### MachineAccountKeySpec
+#### ServiceAccountKeySpec
 
 | Field | Type | Description |
 | :--- | :--- | :--- |
-| `machineAccountUserName` | string | The email address of the MachineAccount that owns this key. |
+| `serviceAccountUserName` | string | The email address of the ServiceAccount that owns this key. |
 | `expirationDate` | metav1.Time | Optional date and time when the key will expire. |
 | `publicKey` | string | Optional public key to be registered. If not provided, one will be auto-generated. |
 
-#### MachineAccountKeyStatus
+#### ServiceAccountKeyStatus
 
 | Field | Type | Description |
 | :--- | :--- | :--- |