Skip to main content

User

A User represents anyone who can access and perform operations in Bytebase. Users include both human team members and service accounts.

Service Account

Service accounts are special users designed for automated processes and applications.

Workload Identity

Workload Identity is a secure authentication method for CI/CD pipelines and external services using OpenID Connect (OIDC) tokens, eliminating the need for long-lived credentials. Unlike traditional Service Accounts that require storing API keys as secrets, Workload Identity:
  • Uses short-lived tokens generated per job
  • Validates tokens against your CI/CD platform’s identity provider
  • Restricts access to specific repositories, branches, and workflows

Setup Workload Identity

GitHub Actions

Configure OIDC authentication for GitHub Actions workflows

User Group

A User Group organizes multiple users together for easier permission management. Workspace admins create groups and add users, then assign these groups to roles within projects.
  • Bytebase does not support nested groups. A group can only contain users, it can’t contain another group.
  • Service accounts cannot be part of user groups. Since service accounts are for automated processes with specific access needs, including them in groups could grant unintended permissions. This is considered an anti-pattern.

Add group

Within Workspace, go to IAM & Admin > Users & Groups, and Add Group from top-right. add-group Create an Email for this group, it’ll serve as an account and cannot be changed after creation. Fill the group’s name into the Title bar. You can Add member below, where they can be Group member as well as Group owner. add-group-detail Here we’ve created a Contractor Group, you can view or edit it under Groups page. view-under-groups You can see which group a user belongs to under Users page as well. view-under-users

Grant roles to group

Now that we’ve created this Contractor Group, we can assign corresponding permissions to these groups within any project. Select Project from top left. Enter Basic Project. enter-basic-project Go to Manage > Members where you can see the project’s members and roles. Our Contractor Group is not among them before we Grant Access to the group from top right. Choose Groups and Select our group in Grant Access detail page. Assign role and Confirm. grant-access Now you can see the Contractor Group under View by members page as well as View by roles page within Members section of Basic Project. project-members-or-roles All members within this group now share permission to the project.