Using Service Accounts to Access Itential Cloud APIs
  • 08 Nov 2024
  • Dark
    Light
  • PDF

Using Service Accounts to Access Itential Cloud APIs

  • Dark
    Light
  • PDF

Article summary

Service Accounts allow third-party services and applications to call various Itential Cloud product APIs without requiring the use of user account credentials. Service Accounts use the OAuth2 Client Credentials grant type to provide access to the Itential Cloud APIs. Service Account access control management is explained in the sections below.

Service Accounts Roles

For security reasons, the ability to manage Service Accounts is protected by the the service-accounts:read and service-accounts:write Cloud application roles. To grant a user the right to manage Service Accounts, you must enable these roles in the groups whose users want to have manage Service Accounts.

For more on how to configure groups for role access Managing Users & Groups

Managing Service Accounts

Service Accounts protect access to the APIs of a specific product in your Itential Cloud account. If you have several products or environments enabled, you will create a separate Service Account for each of the products. This process improves security by enforcing application access isolation to ensure that access to unintended applications is not possible.

The following sections summarize how to use and manage Service Accounts.

Create a New Service Account

To create a new Service Account:

  1. Select Administration → Service Accounts portal sidebar.

  2. Click +New Service Account to create a service account. Give the service account a unique name, optional description and select the Product to protect.

  3. Click the Download Client Keys button to retain a copy of the client keys (client_id and client_secret). A CSV file downloads to your local system.

  4. If your copy of the client keys are lost, you will need to regenerate new client keys (described in the next section). The prior client keys are no longer valid and cannot be recovered.

  5. Click the Create button. The newly created service account will appear in the list of Service Accounts in the table.

    Create New Service Account

Downloaded client keys can be shared with other users; however, it is important to share them in a controlled, secure manner (e.g., encrypted) to ensure that only the right person receives them.

Regenerate Client Keys

If the client keys are lost, you will need to regenerate new client_id and client_secret values which will also invalidate the previous values.

  1. Open the service account from the Service Accounts table by clicking the ellipsis at the end of the row and selecting the Edit menu option. The Roles and Groups collection view displays.
  2. Click the menu button (⋮) in the upper-right corner and select the View and Edit Details option. The Service Account Details dialog will open.
  3. Click the Regenerate Client Keys button to create a new Client ID and Client Secret. The button will disappear and the new client keys will display.
  4. Click the Download Client Keys button to save a copy to your local system.
  5. Click Save to apply the new client keys. A success message banner will display to confirm the new client keys were saved to the service account.

Assign Roles to Service Accounts

You can directly assign a product role to a Service Account by following these steps:

  1. Open the desired service account from the Service Accounts table by clicking the ellipsis at the end of the row and selecting the Edit menu option.
  2. Select the Roles tab to view all roles in that collection.
  3. Assign the roles the service account should have for IAP APIs.
  4. Click Save to retain your changes.

Note that only those roles which are applicable to the product, for which the Service Account was created, are shown.

Associating Groups with Service Accounts

You can associate a group to a Service Account by following these steps:

  1. Open the desired service account from the Service Accounts table by clicking the ellipsis at the end of the row and selecting the Edit menu option.
  2. Select the Groups tab to view all groups in your Itential Cloud account.
  3. Select the groups Service Account should be associated with.
  4. Click Save to retain your changes.

Note that groups can have roles from different products associated with them. The Service Account will only inherit those roles which are appropriate for the product for which the Service Account was created.

Enable/Disable Service Accounts

Use the toggle switch next to the Service Account name on the Service Accounts table to enable (turn on) or disable (turn off) the Service Account. Any application attempt to access the APIs, using the credentials of a disabled Service Accounts, will be rejected.

Delete Service Accounts

To delete a service account, open the service account from the Service Accounts table by clicking the ellipsis at the end of the row and selecting the Edit menu option. Next, click the menu button (⋮) in the upper-right corner and select the Delete Service Account option. The service account is removed from the table view.

The credentials associated with the Service Account are automatically invalidated when the Service Account is deleted.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.