Skip to content

Commit 35506be

Browse files
committed
adp: add authorization docs
1 parent 2261b3e commit 35506be

6 files changed

Lines changed: 71 additions & 9 deletions

File tree

modules/ai-agents/pages/agents/concepts.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,8 @@ When context exceeds the limit, the oldest tool results get truncated, the agent
140140

141141
Design workflows to complete within context limits. Avoid unbounded tool chaining.
142142

143+
include::partial$service-account-authorization.adoc[]
144+
143145
== Next steps
144146

145147
* xref:ai-agents:agents/architecture-patterns.adoc[]

modules/ai-agents/pages/agents/create-agent.adoc

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -210,9 +210,9 @@ The updated metadata appears immediately at `\https://your-agent-url/.well-known
210210

211211
. Configure the service account name (optional):
212212
+
213-
* Default pattern: `<cluster-type>-<cluster-id>-agent-<agent-name>-sa`
214-
* Custom name: 3-128 characters, cannot contain `<` or `>` characters
215-
* This service account authenticates the agent with cluster resources
213+
A service account is automatically created to authenticate your agent with cluster resources. The default name follows the pattern `cluster-<cluster-id>-agent-<agent-name>-sa`. You can customize this name (3-128 characters, cannot contain `<` or `>` characters).
214+
+
215+
For details about default permissions and how to manage service accounts, see xref:ai-agents:agents/concepts.adoc#service-account-authorization[Service account authorization].
216216

217217
. Click *Create Agent*.
218218

modules/ai-agents/pages/agents/quickstart.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,8 @@ Response format:
104104
* *Max Iterations*: `30` (allows multiple tool calls per request)
105105

106106
. Review your configuration and click *Create Agent*.
107+
+
108+
TIP: A service account is automatically created to authenticate your agent with cluster resources. For details about default permissions and how to manage service accounts, see xref:ai-agents:agents/concepts.adoc#service-account-authorization[Service account authorization].
107109

108110
. Wait for the agent status to change from *Starting* to *Running*.
109111

modules/ai-agents/pages/mcp/remote/concepts.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,8 @@ MCP servers automatically emit OpenTelemetry traces for monitoring and debugging
3737

3838
To monitor MCP server activity, consume traces, and debug failures, see xref:ai-agents:mcp/remote/monitor-mcp-servers.adoc[].
3939

40+
include::partial$service-account-authorization.adoc[]
41+
4042
== Next steps
4143

4244
* xref:ai-agents:mcp/remote/create-tool.adoc[]

modules/ai-agents/pages/mcp/remote/quickstart.adoc

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -191,12 +191,7 @@ This page shows a list of existing servers.
191191
* *Description*: Explain what the server does. For example, `Generates fake user event data and publishes it to Redpanda topics`.
192192
* *Tags*: Add key/value tags such as `owner=platform` or `env=demo`. The tag names `service_account_id` and `secret_id` are reserved and cannot be used.
193193
* *Resources*: Choose a size (XSmall / Small / Medium / Large / XLarge). Larger sizes allow more concurrent requests and faster processing, but cost more. You can change this later.
194-
* *Service Account*: A service account is automatically created for authenticating the MCP server to your cluster. The name is pre-filled. You can customize this name or keep the default.
195-
+
196-
[NOTE]
197-
====
198-
Service accounts authenticate MCP server requests to your Redpanda cluster. The service account has editor permissions to the cluster, allowing it to perform operations like reading and writing data, managing topics, and accessing cluster resources. Service account credentials are stored in the xref:develop:connect/configuration/secret-management.adoc[Secrets Store] with the ID `SERVICE_ACCOUNT_<mcp-server-id>` and scope set to *MCP server*.
199-
====
194+
* *Service Account*: A service account is automatically created for authenticating the MCP server to your cluster. The name is pre-filled but you can customize it. For details about default permissions and how to manage service accounts, see xref:ai-agents:mcp/remote/concepts.adoc#service-account-authorization[Service account authorization].
200195
201196
. Click *Next* to define tools.
202197
+
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
[[service-account-authorization]]
2+
== Service account authorization
3+
4+
When you create an MCP server or AI agent, Redpanda Cloud automatically creates a service account to authenticate requests to your cluster.
5+
6+
=== Default configuration
7+
8+
The service account is created with:
9+
10+
* **Name**: Pre-filled as `cluster-<cluster-id>-<resource-type>-<resource-name>-sa`, where `sa` stands for service account. For example:
11+
** MCP server: `cluster-d5tp5kntujt599ksadgg-mcp-my-test-server-sa`
12+
** AI agent: `cluster-d5tp5kntujt599ksadgg-agent-my-agent-sa`
13+
+
14+
You can customize this name during creation.
15+
16+
* **Role binding**: Cluster scope with Writer role for the cluster where you created the resource. This allows the resource to read and write data, manage topics, and access cluster resources.
17+
18+
=== Manage service accounts
19+
20+
You can view and manage service accounts created for MCP servers and AI agents in *Organization* > *IAM* > *Service accounts*.
21+
22+
The Organization IAM page shows additional details not visible during creation:
23+
24+
[cols="1,2"]
25+
|===
26+
|Field |Description
27+
28+
|Client ID
29+
|Unique identifier for OAuth2 authentication
30+
31+
|Description
32+
|Optional description of the service account
33+
34+
|Created at
35+
|Timestamp when the service account was created
36+
37+
|Updated at
38+
|Timestamp of the last modification
39+
|===
40+
41+
From this page you can:
42+
43+
* Edit the service account name or description
44+
* View and manage role bindings
45+
* Rotate credentials
46+
* Delete the service account
47+
48+
[NOTE]
49+
====
50+
Deleting a service account removes authentication for the associated MCP server or AI agent. The resource will no longer be able to access cluster data.
51+
====
52+
53+
=== Customize role bindings
54+
55+
The default Writer role provides broad access suitable for most use cases. If you need more restrictive permissions:
56+
57+
. Navigate to *Organization* > *IAM* > *Service accounts*.
58+
. Find the service account for your resource.
59+
. Edit the role bindings to use a more restrictive role or scope.
60+
61+
For more about roles and permissions, see xref:security:authorization/rbac/rbac.adoc[].

0 commit comments

Comments
 (0)