Headless authentication with service accounts

2 December 2022

zli v. 6.14.3


  • Service accounts. Beginning with zli v. 6.14.3 and bzero v. 7.3.0, BastionZero supports headless authentication via service accounts. Generic, Google, and Microsoft service accounts are all supported. You can learn more about service accounts on
  • Connect to multiple Kubernetes targets. The zli supports simultaneous connections to multiple Kubernetes targets and can also connect to the same target if the targetUser (Kubernetes role) is distinct from other running Kube connections on the same machine.\
    IMPORTANT zli v. 6.14.3** introduces a change to the context name used when connecting to a Kubernetes cluster secured by BastionZero.** > Bzero-context is no longer used to connect to your cluster. Instead, all contexts follow a format that includes both the targetUser (Kubernetes role) and targetName (cluster name): bzero-{targetUser}@{targetName} > Each Kubernetes connection creates an additional context entry following the same bzero- format mentioned above > zli generate kubeConfig is no longer required before connecting to a Kubernetes target. Simply run zli connect {targetUser}@{targetName}, and the zli will update your kubeconfig to a new context entry to connect to your target > Before upgrading, adjust any tooling that relies on the former context name, bzero-context

Some quick how-to's

  • To view open Kubernetes connections, use zli list-connections -t kube or zli lc to see what Kubernetes connections exist.
  • To display a list of your Kube connections and their corresponding context name, use zli list-daemons kube or zli ld kube.
  • To close a Kubernetes connection, use zli close <connection-id> for a specific connection or zli close -t kube to close all Kubernetes connections.
  • To disconnect from the Kubernetes daemon, use zli disconnect kube.
  • To set a specific port when connecting, use --customPort. A free port to use for the Kube daemon is decided at connection time instead of being loaded from the config.
  • To set a default namespace when using zli connect, use the --namespace flag. This namespace is used as a default when using kubectl and other clients that respect the kubeconfig namespace field.
Find more information on connecting to your Kubernetes clusters with BastionZero in our docs.


  • zli send-logs. Resolved issue so zli send-logs sends zli logs when no daemon logs exist

bzero v. 7.3.0

For those who use Helm to install the Kubernetes bzero agent, you must update the Helm repository to chart version >= 1.1.3 before doing a fresh install of the bzero agent. You can do this with helm repo update.
This action updates the bctl-agent role to include permissions for retrieving logs from pods within the deployed namespace for the zli send-logs feature. Even if you do not intend to use send-logs, you must be using chart version >= 1.1.3 for any new Helm installations to be compatible with the new backend changes. We strongly recommend everyone who uses Helm takes this action.


  • Service accounts. To use service accounts, you must be running a minimum of zli v. 6.14.3 and bzero v. 7.3.0. Older versions of bzero do not support the service account feature

Web app & backend


  • Service accounts. Event logs, policy, and user management have been updated to include service accounts


  • Last login. Resolved issue with login records that caused intermittent issues with the onboarding tool\
For questions or to give us feedback on how we can make our updates better, reach out to [email protected].