Service Accounts

Service accounts represent non-human machine users, like applications or deployment pipelines, that require programmatic access to a discreet set of secrets. Service accounts are used to:

• Appropriately scope the selection of secrets a machine user has access to.

• Issue access tokens to facilitate programmatic access to, and the ability to decrypt, secrets.

Secrets that your user account has access to are listed in the primary Secrets Manager view as well as by selecting Service accounts from the navigation:

Opening a service account will list the Secrets and People the service account has access to, as well as any generated Access tokens:

To create a new service account:

1. Use the New dropdown to select Service account:

   

2. Enter a Service account name and, in the Access section, type or select the name of the project(s) that this service account should be able to access.

Adding organization members to a service account will allow those people to generate access tokens for the service account and interact with all secrets the service account has access to. To add people to your service account:

1. In the service account, select the People tab.

2. From the people dropdown, type or select the members or groups to add to the project. Once you've selected the right people, select the Add button:

   

During the beta, all members will be given Can read, write access to a service account and associated secrets when assigned.

Adding projects to a service account will allow programmatic access to included secrets using access tokens. You can add both new and existing projects to a service account:

To delete a service account, use the () options menu for the service account to delete to select Delete service account. Deleting a service account will not delete the secrets associated with it. Service accounts are fully removed once deleted and do not get sent to the trash like secrets do.