What is the recommended way to create a

kratos

user with an admin (service account?) with a certain

keto

access rule? The goal is to create a developer account to maintain

keto

rights that can only be accessed by our developers. One way, we figure, is to use

kubectl exec

, but since this account only needs to be created on initialization, there must be a more conventional way 🚤 💨

So you basically want to have 1 admin/service account that is created when initializing the service? What is the problem with using

kubectl exec

? I assume you call the Kratos admin API to create the account and add the relation-tuple to Keto - apologies, but I am not really familiar with k8s..

Yep, that’s the idea. I wondered if there might be a recommended way from Ory to do so. Otherwise using a kubernetes job or the

kubectl

cli is fine too

I will ask around 🙂

Hi there, in general if this is a init task, something to be done once and only once, i would recommend using a job with a post-install/upgrade annotation. The alternative would be a postExecHook in the deplyment itself, but this would cause the operation to be executed per pod, which is not recommended

Hey @worried-kitchen-94392, thanks! We managed with a job and a simple shell setup. If this topic is found by anyone, I'm sharing the shell script here:

USER_ID=$(curl --silent --show-error \
              -X POST "<http://kratos-admin/admin/identities>" \
              -d '{"schema_id":"user","traits":{"email":"<mailto:example@example.com|example@example.com>","name":{"first":"admin"}},"credentials":{"password":{"config":{"password":"valid_exammple"}}}}' -H 'Content-Type: application/json' | jq '.id')

              echo USER_ID=$USER_ID

              curl -s -i \
              -X PUT "<http://keto-write/relation-tuples>" \
              -d '{"namespace":"permissions","object":"administration","relation":"access","subject_id":'"$USER_ID"'}' -H 'Content-Type: application/json'

@magnificent-energy-493 do we have a FAQ o which we could link this?

Sorry missed that @worried-kitchen-94392 Maybe this: https://www.ory.sh/docs/kratos/debug/troubleshooting Or we add it to the helm chart docs? We could add it to https://github.com/ory/examples as little example snippet (maybe as discussion item)? We could also make a document for example cUrl commands (that work for selfhosted and cloud both) somewhere so many options, but I would say maybe start with a discussion here, and maybe we make a whole document out of it sometime.