docs: update service account

bytebase · Nov 20, 2024 · 1ad0e32 · 1ad0e32
1 parent 2725514
commit 1ad0e32
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/content/docs/administration/user-groups.md b/content/docs/administration/user-groups.md
@@ -6,11 +6,10 @@ feature_name: USER_GROUPS
 `User Group` or simply `Group` contains a set of users. `Group` simplifies access management as you can grant
 roles to a `Group` instead of granting to the individual users one by one.
 
-<HintBlock type="info">
+## Constraints
 
-Bytebase does not support nested group. A group can only contain users, it can't contain another group.
-
-</HintBlock>
+- Bytebase does not support nested group. A group can only contain users, it can't contain another group.
+- You can only add normal user account to the group and can not add service account. Service account within a group is an [anti-pattern](https://cloud.google.com/iam/docs/best-practices-service-accounts#groups).
 
 ## Add group
 
@@ -49,3 +48,9 @@ Now you can see the `Contractor Group` under **View by members** page as well as
 ![project-members-or-roles](/content/docs/administration/user-groups/project-members-or-roles.webp)
 
 All members within this group now share permission to the project.
+
+## Service account
+
+You can only add normal user account to the group and can not add service account.
+
+Service accounts are designed for application use, with each application typically having unique access needs. Since applications rarely perform identical functions, their required resource access tends to differ, making shared or identical permissions uncommon.
diff --git a/content/docs/api/authentication.md b/content/docs/api/authentication.md
@@ -10,7 +10,8 @@ title: Authentication
 
 ## Service Account
 
-You should create service account to interact with the Bytebase API.
+A service account is a non-human account used by applications, scripts, or services to access the Bytebase API. The service account follows the same permission model as the normal user account. The only exception
+is service account can't be added to a group as it's an [anti-pattern](https://cloud.google.com/iam/docs/best-practices-service-accounts#groups).
 
 In **Users & Groups** under **Security & Policy** section, **Add User** on the upper-right. Choose **Service Account** Type, fill in the email and **Confirm**. Then you can see your service account in the list. **Copy Service Key** right away.