Skip to Content
We are live but in Staging 🎉
IAMService Accounts

Service Accounts

let your application authenticate to Dodil without using a human user. You create a Service Account in the console, generate a secret, then give it the minimum permissions (policies) needed to access your resources.

Where to find Service Accounts in the console

  1. Open the Dodil Console.
  2. In the top-right corner, open the workspace/organization dropdown.
  3. Select IAM.
  4. In the IAM sidebar, open Service Accounts.

You can also access it directly at:

Create a Service Account

  1. Click Create Service Account.
  2. Give it a clear name, usually based on your app or environment, for example:
    • my-app-dev
    • my-app-prod
    • vng-worker
  3. Click Create.

After creation, you will have a ServiceAccountID. This is the identifier your SDK/API uses as the “client id”.

Generate and save the secret

When you create the Service Account, the console generates a secret.

  • The secret is typically shown only once.
  • Copy it immediately and store it in a safe place (password manager / secret manager).

You will use the ServiceAccountID and secret in your application environment variables.

Example (names may differ depending on your SDK config):

  • DODIL_SERVICE_ACCOUNT_ID=<your ServiceAccountID>
  • DODIL_SERVICE_ACCOUNT_SECRET=<your secret>

Assign permissions (policies)

A Service Account can only access what it is authorized to access. Permissions are managed through policies (roles).

How policies work

  • A policy grants a set of actions (read, write, admin, etc.).
  • Policies can apply to:
    • All resources in your organization (default scope), or
    • A specific resource (restricted scope)

Assign policies in the console

  1. Go to IAM → Service Accounts.
  2. Open your Service Account.
  3. Go to Permissions / Policies in the lower section.
  4. Add the policies your app needs.

Common examples

If your project needs to consume events from VNG and write to VBase, you might assign:

  • vng.consumer
  • vbase.writer

If your project needs to do administrative VBase operations (create collections, build indexes, manage advanced settings), you may need:

  • vbase.admin

Restrict a policy to a single resource (DRN)

For stronger security, you can scope a policy to a specific resource using a Dodil Resource Number (DRN).

Example DRN:

  • drn:dodil:vbase:db-2c3e0108deb84e8aa214192837dhs

Where to find the DRN

You can find the DRN in the relevant service dashboard page (for example, a specific VBase database or cluster page). Copy the DRN and attach it to the policy scope when assigning permissions.

Why you should scope permissions

Scoping policies reduces blast radius:

  • Your Service Account can only access the resource(s) it truly needs.
  • Accidental deletes/writes to other environments (dev vs prod) are less likely.
  • Create separate Service Accounts per environment:
    • my-app-dev
    • my-app-staging
    • my-app-prod
  • Give each Service Account the minimum policies needed.
  • Scope policies to specific DRNs whenever possible.
  • Rotate secrets periodically (and immediately if you suspect exposure).

Next step

Once you have a ServiceAccountID + secret and the right policies assigned, go back to the SDK setup guide and configure your environment variables so the SDK can authenticate.

Last updated on
IAM OverviewRoles and Policies