Use service accounts

Service accounts let third-party services and applications call Itential Cloud APIs without using user credentials. They use the OAuth2 Client Credentials grant type for API access.

Before you begin

To manage service accounts, you need the service-accounts:read and service-accounts:write roles. To grant a user the ability to manage service accounts, enable these roles in the groups those users belong to. See Manage users and groups for instructions.

About service accounts

Service accounts provide API access to a specific product in your Itential Cloud account. If you have multiple products or environments, create a separate service account for each. This isolates application access and prevents unintended API access across products.

Create a service account

Open Service Accounts

Go to Administration → Service Accounts from the sidebar, then click + New Service Account.

Configure the account

Give the service account a unique name and optional description, then select the product to protect. Click Create.

Download client keys

Click Download Client Keys to download your credentials (client_id and client_secret) as a CSV file. Save this file for future reference.

New service account with client key download option

Finish

Click Continue. The new service account appears in the Service Accounts list with its Roles and Groups.

Store your client keys securely. If you lose them, you must regenerate new keys — the previous keys cannot be recovered. Share client keys only through secure, encrypted channels.

Regenerate client keys

If you lose your client keys, regenerate new credentials. This invalidates the previous client_id and client_secret.

Open the service account

On the Service Accounts page, click the service account you want to update.

Access key regeneration

Click the More (⋮) menu in the upper-right corner and select View and Edit Details.

Regenerate and save

Click Regenerate Client Keys. The new client keys are displayed. Click Download Client Keys to save a copy, then click Save to apply the new keys. A confirmation message appears when the keys are saved.

Assign roles to a service account

Open the service account

On the Service Accounts page, click the desired service account.

Select roles

Click the Roles tab. Select the roles the service account needs for Itential Platform APIs. Only roles applicable to the service account’s product appear in the list.

Save

Click Save.

Associate groups with a service account

Open the service account

On the Service Accounts page, click the desired service account.

Select groups

Click the Groups tab. Select the groups to associate with the service account. Groups can contain roles from different products. The service account only inherits roles that match its assigned product.

Save

Click Save.

Enable or disable a service account

Use the toggle switch in the Enabled column next to the service account name in the Service Accounts table. Applications cannot access APIs using credentials from a disabled service account.

Delete a service account

Open the service account

On the Service Accounts page, click the desired service account.

Delete

Click the More (⋮) menu in the upper-right corner, select Delete Service Account, then click Delete in the confirmation modal.

The service account is removed and its credentials are automatically invalidated.