For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
      • Upgrade Astronomer
      • Apply a config change
        • Configure a secrets backend
        • Configure Kerberos database authentication
        • Configure a custom image registry
        • Third-Party ingress controllers
        • Bring your own service accounts
        • Generate self-signed certificates
        • Renew a TLS certificate
        • Configure security contexts
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Step 1: Create a service account template
  • Step 2: Disable automatic service account creation
  • Step 3: Apply the config change.
AdministrationSecurity and compliance

Bring your own Kubernetes service accounts

Edit this page
Built with

In Astronomer Software, you can disable automatic creation of Service Accounts (SA), and use a pre-created service account. When you do this, you can either define service accounts manually, or use a service account creation template.

Using a pre-created service account, Organizations can create using a central authority or system, without granting Astronomer Software similarly elevated permissions.

Step 1: Create a service account template

Use the registry template to create a service account template. The following examples use a service account saved with the name, custom-sa.

Step 2: Disable automatic service account creation

  1. Disable Astronomer from creating Roles, RoleBindings, and other SAs in the namespace by setting the global config rbacEnabled and serviceAccount.create to false globally:
1global:
2  rbacEnabled: false
3  serviceAccount:
4    create: false
  1. You must also set serviceAccount.create to false for each component that will use a custom SA: commander, configsyncer, houston, and houston-worker.
1global:
2  dagOnlyDeployment:
3    enabled: true
4    serviceAccount:
5      create: false
6astronomer:
7  airflowChartVersion: <your-airflow-chart-version>
8  houston:
9    config:
10      deployments:
11        helm:
12          airflow:
13            rbac:
14              create: false
15
16            scheduler:
17              serviceAccount:
18                create: false
19
20            flower:
21              serviceAccount:
22                create: false
23
24            webserver:
25              serviceAccount:
26                create: false
27
28            triggerer:
29              serviceAccount:
30                create: false
31
32            pgbouncer:
33              serviceAccount:
34                create: false
35
36            migrateDatabaseJob:
37              serviceAccount:
38                create: false
39
40            statsd:
41              serviceAccount:
42                create: false
43            redis:
44              serviceAccount:
45                create: false
46
47            cleanup:
48              serviceAccount:
49                create: false
50
51            workers:
52              serviceAccount:
53                create: false

Step 3: Apply the config change.

Then apply the config change.