Run windows service within docker with external account

Hi,
This is the situation.

We have EKS, Local VMs and local NFS share (\nfs-share). They are connected with Transit gateway. Local machines has an account “lab\test” (not sure if it is in AD or local), which has full access to NFS. What I need is to have possibility to write data from EKS into NFS through Local VMs. it is possible, when I’m manually setting credentials in EKS pod, everything works as expected. But when I’m running a service in EKS which should write data, I cannot assign for it credentials, because it is running in a docker container.

Dockerfile is based on mcr.microsoft.com/dotnet/runtime:8.0-windowsservercore-ltsc2019 image. I need to have some powershell commands which will create service, run it as “lab\test” account, somehow authenticate into NFS and write there data.

THis is how I’m creating service:
New-Service -Name ‘SERVICEt’ -BinaryPathName ‘C:\app\SERVICE.exe’ -DisplayName ‘SERVICE’ -StartupType Automatic -Credential $Credential

WHen I starting this service it shows “Access Denied” while trying to write data.

What can be used here?

For anyone still running into this issue - to get a service running as an explicit user (ie passed in via secret or env var so it can access remote resources) you need to first create the user and assign proper perms (perms can be done in dockerfile via group, so you just need to add the user to the group in an entrypoint script).

Then, importantly, you need to give that user the SeServiceLogonRight - this can be done via powershell and secedit (i used this function def/script as a base PS-Manage-Log-On-As-A-Service/Add-ServiceLogonRight.ps1 at main · junecastillote/PS-Manage-Log-On-As-A-Service · GitHub) . Only then will it let you assign that user to the service.

Syntax for assigning the user to the service (password is plaintext, and username needs to be of the syntax $un=‘.\username’) =

$service = Get-WmiObject -Class Win32_Service -Filter “Name=‘$serviceName’”
$service.Change($null, $null, $null, $null, $null, $false, “$un”, $pw)