For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Astro Private Cloud overview
    • Astro Private Cloud features
      • Configure a secrets backend
      • Configure Kerberos database authentication
      • Third-party ingress controllers
      • Network configuration
      • Bring your own service accounts
      • Configure security contexts
      • Read-only root filesystem
      • TLS certificate management
    • Release and lifecycle policy
    • Support policy

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Step 1: Create a service account template
  • Step 2: Disable automatic service account creation
  • Step 3: Apply the config change
Security and compliance

Bring your own Kubernetes service accounts

Edit this page
Built with

In Astro Private Cloud, you can disable automatic creation of Service Accounts (SA), and use a pre-created service account. When you do this, you can either define service accounts manually, or use a service account creation template.

Using a pre-created service account, Organizations can create service accounts using a central authority or system, without granting Astro Private Cloud similarly elevated permissions.

Step 1: Create a service account template

Use the registry template to create a service account template. The following examples use a service account saved with the name, custom-sa.

Step 2: Disable automatic service account creation

  1. Disable Astronomer from creating Roles, RoleBindings, and other SAs in the namespace by setting the global config rbacEnabled and serviceAccount.create to false globally:
1global:
2  rbacEnabled: false
3  serviceAccount:
4    create: false
  1. You must also set serviceAccount.create to false for each component that will use a custom SA: commander, configsyncer, houston, and houston-worker.
1global:
2  dagOnlyDeployment:
3    enabled: true
4    serviceAccount:
5      create: false
6astronomer:
7  airflowChartVersion: <your-airflow-chart-version>
8  houston:
9    config:
10      deployments:
11        helm:
12          airflow:
13            rbac:
14              create: false
15
16            scheduler:
17              serviceAccount:
18                create: false
19
20            flower:
21              serviceAccount:
22                create: false
23
24            apiServer:
25              serviceAccount:
26                create: false
27
28            triggerer:
29              serviceAccount:
30                create: false
31
32            pgbouncer:
33              serviceAccount:
34                create: false
35
36            migrateDatabaseJob:
37              serviceAccount:
38                create: false
39
40            statsd:
41              serviceAccount:
42                create: false
43            redis:
44              serviceAccount:
45                create: false
46
47            cleanup:
48              serviceAccount:
49                create: false
50
51            workers:
52              serviceAccount:
53                create: false

Step 3: Apply the config change

Then apply the config change.