For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Astro Private Cloud overview
    • Astro Private Cloud features
      • Configure a secrets backend
      • Configure Kerberos database authentication
      • Third-party ingress controllers
      • Network configuration
      • Bring your own service accounts
      • Configure security contexts
      • Read-only root filesystem
      • TLS certificate management
    • Release and lifecycle policy
    • Support policy

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Step 1: Create a service account template
  • Step 2: Disable automatic service account creation
  • Step 3: Apply the config change
Security and compliance

Bring your own Kubernetes service accounts

Built with

In Astro Private Cloud, you can disable automatic creation of Service Accounts (SA), and use a pre-created service account. When you do this, you can either define service accounts manually, or use a service account creation template.

Using a pre-created service account, Organizations can create service accounts using a central authority or system, without granting Astro Private Cloud similarly elevated permissions.

Step 1: Create a service account template

Use the registry template to create a service account template. The following examples use a service account saved with the name, custom-sa.

Step 2: Disable automatic service account creation

  1. Disable Astronomer from creating Roles, RoleBindings, and other SAs in the namespace by setting the global config rbacEnabled and serviceAccount.create to false globally:
1global:
2  rbacEnabled: false
3  serviceAccount:
4    create: false
  1. You must also set serviceAccount.create to false for each component that will use a custom SA: commander, configsyncer, houston, and houston-worker.
1global:
2  dagOnlyDeployment:
3    enabled: true
4    serviceAccount:
5      create: false
6astronomer:
7  airflowChartVersion: <your-airflow-chart-version>
8  houston:
9    config:
10      deployments:
11        helm:
12          airflow:
13            rbac:
14              create: false
15
16            scheduler:
17              serviceAccount:
18                create: false
19
20            flower:
21              serviceAccount:
22                create: false
23
24            apiServer:
25              serviceAccount:
26                create: false
27
28            triggerer:
29              serviceAccount:
30                create: false
31
32            pgbouncer:
33              serviceAccount:
34                create: false
35
36            migrateDatabaseJob:
37              serviceAccount:
38                create: false
39
40            statsd:
41              serviceAccount:
42                create: false
43            redis:
44              serviceAccount:
45                create: false
46
47            cleanup:
48              serviceAccount:
49                create: false
50
51            workers:
52              serviceAccount:
53                create: false

Step 3: Apply the config change

Then apply the config change.