Service Accounts vs Regular Accounts

Hi there,

I am looking into the possibility to use a service account (as explained in Service accounts | Docker Documentation). This is in the context of an organisation with the Team plan. However, I am a little bit confused on how to create a service account. The first step of the procedure outlined in the page above is to create a DockerID. And the only way that seems to be possible is with the regular, e-mail driven sign-up process. So in order to use a service account, you have to create a regular account as you would do as a real-life person, then create an access token for that account and set the permissions for the account so it has access to the relevant repositories? That is correct? Or is there another way as an organisation admin to generate service accounts?

It looks like a service account is not really more than an access token without admin privileges. It is useful to make sure the password of your user account will not be stolen. You can use that access token in your code and if an attacker get that token and if you notice that in time, you can delete that access token. If you use your password in your code, the attacker can steal your account and you can’t do anything against it.

I have a PRO account and I can create access tokens. The “Creating new service account” section says you need to create a new docker id. I don’t know exactly why, but maybe because then the access token will not belong to anyone in the team, so you can manage that independently. Even if you leave the team, the service account will still be there. Or if you have access to other repositories as well, the new account will not have.

Even if I am not right, a service account usually belongs to a user, and inherits its privileges, so I am not surprised that you need an actual user.