Creating Service Accounts for Third-Party Integrations

Last updated: October 30, 2025

Problem Description

  Users need to create service accounts for third-party integrations like OpenMetadata that require API tokens to access Dagster's GraphQL API. Currently, there is no dedicated service account feature, requiring workarounds for secure integration.

Symptoms

  • Need for API tokens for third-party tools without using personal user tokens

  • Requirement for viewer-level permissions to access GraphQL API

  • Uncertainty about user provisioning for service accounts

Root Cause

  Dagster currently does not have a dedicated service account feature, requiring users to create dummy user accounts as a workaround for third-party integrations that need API access.

Solution

  Create a dummy user account with the necessary viewer permissions for your third-party integration.

Step-by-Step Resolution

  1. Create a dummy user account with an appropriate name (e.g., "openmetadata-service" or "integration-user")

  2. Assign viewer-level permissions to this account

  3. If SSO is enabled, add this user to your Identity Provider (IdP) as email/password login is not available with SSO

  4. Generate an API token for this user account

  5. Use this token in your third-party integration configuration

Alternative Solutions (if applicable)

  If SSO is not enabled, you can create the dummy user manually and have them login via email and password without adding to your IdP.

Prevention

  Monitor for updates on the dedicated service account feature request, which will provide a more secure and purpose-built solution for this use case.