Service Accounts

Service Accounts in Cloud Portal

Applications that need to interact with IAP APIs are created as Service Accounts in Itential's Cloud Portal. Service Accounts provide a secure way to connect external systems to IAP Cloud via one set of login information, and protects user data by providing access via client token ID without revealing user credentials.

Authorization Clients and Access Control

With Service Accounts in the Cloud environment, third-party services (i.e., Identity Providers) can make requests on behalf of a user without accessing passwords and other sensitive information. Using OAuth2 protocols that work over HTTPS to send a client token ID and secret key, authorization and access controls are applied to limit the requesting service or application only to what it is permitted to do. A client ID is used to identify the Service Account and a secret key is used to provide proof of right-to-access.

Enable Roles for Service Accounts in Cloud Portal

For security reasons, the roles which enable the creation and management of Service Accounts are not assigned to any groups, by default. To manage Service Accounts, you must add the Service Account roles (see below) to a Group associated with the users who can manage them. You must carefully consider which users have the ability to manage Service Accounts because they are used to grant access to your Itential cloud account.

To enable Service Accounts:

1. Select Groups from the sidebar of Itential Cloud Portal.

   • Note: For this example, the "Admin" group will be used. Whoever is enabling the management of Service Accounts can add roles to any group they want.

2. Locate the Admins membership group in the Groups Table using the Search Bar.

3. Click the row of the Admins group in the Groups Table; the Roles settings window will display for that group.

4. Select the Cloud API tab to view all roles in that collection.

5. Use the toggle to enable the service-accounts:read and service-accounts:write roles (Figure 1).

6. Click Save to retain your settings.

7. Logout of the Cloud Portal and re-login to fetch the new roles. Service Accounts will display in the left sidebar menu (Figure 2).

Figure 1: Assign Service Account Roles

Figure 2: Cloud Portal Sidebar Menu

Using Service Accounts in Cloud Portal

The following sections summarize how to use and manage Service Accounts in IAP Cloud.

Create New Service Accounts

To create a new Service Account:

1. Select Service Accounts from the sidebar of Itential Cloud Portal.

2. Click +New Service Account to create a service account. Give the service account a unique name, optional description and select an instance (Figure 3).

3. Click the Download Client Keys button to retain a copy of the client keys (client_id and client_secret). A CSV file downloads to your local system.

   • If your copy of the client keys are lost, you will need to regenerate new client keys (described in the next section). The prior client keys are no longer valid and cannot be recovered.

   Figure 3: Create New Service Account
   

4. Click the Create button. The newly created service account will appear in the list of Service Accounts in the table.

Regenerate Client Keys

If the client keys are lost, you will need to create a new client_id and client_secret and invalidate the old keys.

1. Open the service account from the Service Accounts table by clicking the ellipsis at the end of the row and selecting the Edit menu option. The Roles and Groups collection view displays.

2. Click the menu button (⋮) in the upper-right corner and select the View and Edit Details option (Figure 4). The Service Account Details dialog will open.

   Figure 4: View and Edit Details
   

3. Click the Regenerate Client Keys button to create a new Client ID and Client Secret (Figure 5). The button will disappear and the new client keys will display.

   Figure 5: Regenerate Client Keys
   

4. Click the Download Client Keys button to save a copy to your local system (Figure 6).

5. Click Save to apply the new client keys. A success message banner will display to confirm the new client keys were saved to the service account.

Figure 6: Download and Save Client Keys

Assign Roles to Service Accounts

A role grants permission to access one or more API endpoints, and a role may be assigned to any number of users or groups. The roles for managing Service Accounts are available to all IAP applications in your Cloud account, including development, staging, and production.

To assign Roles:

1. Open the desired service account from the Service Accounts table (Figure 7) by clicking the ellipsis at the end of the row and selecting the Edit menu option.
2. Select the Roles tab to view all roles in that collection.
3. Assign the roles the service account should have for IAP APIs (Figure 8).
4. Click Save to retain your changes.

Figure 7: Service Accounts

Figure 8: Assign Service Account Roles

Enable/Disable Service Accounts

Use the toggle switch next to the service account name on the Service Accounts table to enable (turn on) or disable (turn off) the Service Account (Figure 9). Authentication is not permitted against disabled Service Accounts.

Figure 9: Enable/Disable Service Accounts

Delete Service Accounts

To delete a service account, open the service account from the Service Accounts table by clicking the ellipsis at the end of the row and selecting the Edit menu option. Next, click the menu button (⋮) in the upper-right corner and select the Delete Service Account option (Figure 10). The service account is removed from the table view.

Figure 10: Delete Service Account

Related Reading

• Member Administration
• Group Administration
• Configure OAUTH2 Inside of Postman via Pre-Request Script