DOCS-325 - Service accounts (#5041)

* Start rough draft

* Rough draft

* Update docs/manage/security/service-accounts.md

Co-authored-by: Kim (Sumo Logic) <[email protected]>

* Updates from review by Kevin Keech

* Update audit logging section

* Upates from Slack comments

* Add CID

* Change release note date to April 15 2025

* Change release note date to April 25 2025

* Add API doc

* Change release note date to May 1 2025

---------

Co-authored-by: Kim (Sumo Logic) <[email protected]>

Author: jpipkin1

blog-service/2025-05-01-manage.md

@@ -0,0 +1,17 @@
+---
+title: Service Accounts (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - manage
+  - access keys
+  - service accounts
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We are happy to announce that you can now create service accounts in Sumo Logic. Service accounts are a special type of account designed for automating processes that use Sumo Logic APIs, such as scripts, integrations, and infrastructure as code. Unlike user accounts, service accounts are not associated with an individual and do not allow for interactive logins.
+
+[Learn more](/docs/manage/security/service-accounts).
+
+<img src={useBaseUrl('/img/security/service-accounts-page.png')} alt="Service Accounts tab" style={{border: '1px solid gray'}} width="800"/>

cid-redirects.json

@@ -2361,6 +2361,7 @@
   "/cid/5155": "/docs/manage/field-extractions",
   "/cid/5156": "/docs/send-data/collection/processing-rules",
   "/cid/5162": "/docs/manage/security/access-keys",
+  "/cid/51621": "/docs/manage/security/service-accounts",
   "/cid/5163": "/docs/search/search-query-language/search-operators/geo-lookup-map",
   "/cid/5164": "/",
   "/cid/5165": "/docs/manage/data-forwarding/amazon-s3-bucket",

docs/api/index.md

@@ -210,6 +210,11 @@ To connect with other Sumo Logic users, post feedback, or ask a question, visit
   <a href="/docs/api/search-job"><img src={useBaseUrl('img/icons/search.png')} alt="Thumbnail icon" width="50"/><h4>Search Job</h4></a>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/api/service-accounts"><img src={useBaseUrl('img/icons/business/user-permissions.png')} alt="Thumbnail icon" width="50"/><h4>Service Accounts</h4></a>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/api/service-allowlist"><img src={useBaseUrl('img/icons/security/unlock.png')} alt="Thumbnail icon" width="50"/><h4>Service Allowlist</h4></a>

docs/api/service-accounts.md

@@ -0,0 +1,39 @@
+---
+id: service-accounts
+title: Service Accounts APIs
+sidebar_label: Service Accounts
+description: Use the API to manage service accounts.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import ApiIntro from '../reuse/api-intro.md';
+import ApiRoles from '../reuse/api-roles.md';
+
+<img src={useBaseUrl('img/icons/business/user-permissions.png')} alt="icon" width="50"/>
+
+The Service Accounts API allows you to manage service accounts. [Service accounts](/docs/manage/security/service-accounts/) are a special type of account designed for automating processes that use Sumo Logic APIs, such as scripts, integrations, and infrastructure as code. Unlike user accounts, service accounts are not associated with an individual and do not allow for interactive logins.
+
+## Documentation
+
+<ApiIntro/>
+
+| Deployment | Documentation URL                                                  |
+|:------------|:--------------------------------------------------------------------|
+| AU         | https://api.au.sumologic.com/docs/#tag//serviceAccountManagement  |
+| CA         | https://api.ca.sumologic.com/docs/#tag//serviceAccountManagement  |
+| DE         | https://api.de.sumologic.com/docs/#tag//serviceAccountManagement  |
+| EU         | https://api.eu.sumologic.com/docs/#tag//serviceAccountManagement  |
+| FED        | https://api.fed.sumologic.com/docs/#tag//serviceAccountManagement |
+| IN         | https://api.in.sumologic.com/docs/#tag//serviceAccountManagement  |
+| JP         | https://api.jp.sumologic.com/docs/#tag//serviceAccountManagement  |
+| KR         | https://api.kr.sumologic.com/docs/#tag//serviceAccountManagement  |
+| US1        | https://api.sumologic.com/docs/#tag//serviceAccountManagement     |
+| US2        | https://api.us2.sumologic.com/docs/#tag//serviceAccountManagement |
+
+## Required role capabilities
+
+<ApiRoles/>
+
+* User Management (all role capabilities)
+
+Only administrators can create service accounts. If you are unsure whether you are an administrator, you can view your role in **Preferences** (see [Onboarding Checklists](https://help.sumologic.com/docs/get-started/onboarding-checklists/)).

docs/manage/security/access-keys.md

@@ -10,6 +10,7 @@ In Sumo Logic, you'll need an access key to:
 
 * **Register new Collectors**. When you install a Collector, in addition to having a role that grants you the **Manage Collectors** capability, you must supply an access key. You can use a different access key for each Collector, or use the same access key for multiple Collectors. The only time a Collector uses the access key is at installation, so if a key is deleted after a Collector has been set up, the Collector isn't affected.
 * **Use Sumo Logic APIs**. You must supply an access key to use the Sumo Logic APIs. See [API Authentication](/docs/api/getting-started#authentication) for details.
+* **Run scripts or automation**. Create access keys to provide authentication for scripts or automation.
 
 ## Prerequisites
 
@@ -19,10 +20,16 @@ In Sumo Logic, you'll need an access key to:
 
 ## Create an access key
 
-### From the Personal Access Keys page
+### From the Personal Access Keys tab
+
+A *personal access key* is a key that you can create to manage access for personal use. 
+
+:::tip
+If you are an administrator who needs to create an access key for system use (such as for API scripts, third party integrations, or infrastructure as code), we recommend you create the access key on a [service account](#from-a-service-account). 
+:::
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select your username and then **Preferences > Personal Access Keys**.<br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select your username, and then under **Preferences** select **Personal Access Keys**. You can also click the **Go To...** menu at the top of the screen and select **Personal Access Keys**.
-1. On the **Personal Access Keys** tab, click **+ Add Access Key**.<br/><img src={useBaseUrl('/img/security/access-key-preferences-page.png')} alt="Personal Access Keys page" style={{border: '1px solid gray'}} width="800"/><br/>The **Add New Access Key** window appears.<br/><img src={useBaseUrl('/img/security/create-access-key.png')} alt="Add New Access Key screen" style={{border: '1px solid gray'}} width="500"/>
+1. On the **Personal Access Keys** tab, click **+ Add Access Key**.<br/><img src={useBaseUrl('/img/security/access-key-preferences-page.png')} alt="Personal Access Keys tab" style={{border: '1px solid gray'}} width="800"/><br/>The **Add New Access Key** window appears.<br/><img src={useBaseUrl('/img/security/create-access-key.png')} alt="Add New Access Key screen" style={{border: '1px solid gray'}} width="500"/>
 1. **Name**. Enter a name for your access key.  
 1. **Allowed CORS Domains (optional)**. Create an allowlist of domains from which the access key can be used to access Sumo Logic APIs. For more information, see [CORS support](#cors-support). 
     :::note
@@ -41,15 +48,26 @@ In Sumo Logic, you'll need an access key to:
    After you click **Done**, you will not be able to recover this Access ID and Access Key.
    :::
 
-All personal access keys created in the organization are displayed in the **Access Keys** page, described next. 
+All personal access keys created in the organization are displayed in the **Access Keys** tab, described next. 
+
+### From the Access Keys tab
 
-### From the Access Keys page
+The **Access Keys** tab shows all access keys in the system. It provides a central place for administrators to manage access keys.
 
-Administrators can create access keys under **Access Keys** as an alternative to doing it [from the Personal Access Keys page](#from-the-personal-access-keys-page).
+Administrators can create access keys under **Access Keys** as an alternative to doing it [from the Personal Access Keys tab](#from-the-personal-access-keys-tab) or [from a service account](#from-a-service-account).
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Access Keys**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Access Keys**. You can also click the **Go To...** menu at the top of the screen and select **Access Keys**.
-1. At the top right of the table, click **+ Add Access Key**. <br/><img src={useBaseUrl('/img/security/access-key-security-page.png')} alt="Sumo Logic interface showing a list of access keys with options to add a new access key, search access keys, and statuses of existing keys." width="700"/>
-1. Follow the steps in the [previous section](#from-the-personal-access-keys-page), starting with step 3.
+1. At the top right of the table, click **+ Add Access Key**. <br/><img src={useBaseUrl('/img/security/access-key-security-page.png')} alt="Sumo Logic interface showing a list of access keys with options to add a new access key, search access keys, and statuses of existing keys." style={{border: '1px solid gray'}} width="700"/>
+1. Follow the steps in [From the Personal Access Keys tab](#from-the-personal-access-keys-tab) section above, starting with step 3.
+
+### From a Service Account
+
+Administrators can create access keys on a service account for use in scripts or automation. For more information, see [Service Accounts](/docs/manage/security/service-accounts).
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Service Accounts**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Service Accounts**. You can also click the **Go To...** menu at the top of the screen and select **Service Accounts**.
+1. Select a service account.
+1. Click **Add Access Key**.<br/><img src={useBaseUrl('/img/security/service-account-details.png')} alt="Add Access Key button on service account details pane" style={{border: '1px solid gray'}} width="300"/>
+1. Follow the steps in [From the Personal Access Keys tab](#from-the-personal-access-keys-tab) section above, starting with step 3.
 
 #### CORS support
 
@@ -89,7 +107,7 @@ an Access-Control-Allow-Origin header.
 If you have the [**Manage Access Keys** role capability](/docs/manage/users-roles/roles/role-capabilities#security), you can edit, deactivate, and delete any access keys created by other users in your organization.
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Access Keys**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Access Keys**. You can also click the **Go To...** menu at the top of the screen and select **Access Keys**. 
-1. Hover your mouse over an access key and click the three-dot kebab icon. This reveals the same modification options that appear on the **Personal Access Key** page, [as described above](#edit-deactivate-or-delete-access-keys).
+1. Hover your mouse over an access key and click the three-dot kebab icon. This reveals the same modification options that appear on the **Personal Access Key** tab, [as described above](#edit-deactivate-or-delete-access-keys).
 
 ### Access Keys deactivation policy
 
@@ -103,3 +121,13 @@ To configure the Access Keys deactivation policy:
     :::note
     This section is visible to Administrators only.
     :::
+
+## Audit logging for access key activity
+
+Access key events are recorded in the Audit Event Index. To search for for access key events, run this query:
+
+```
+_index=sumologic_audit_events _sourceCategory=accessKeys
+```
+
+For more information about audit logging, see [Audit Event Index](/docs/manage/security/audit-indexes/audit-event-index/).

docs/manage/security/service-accounts.md

@@ -0,0 +1,84 @@
+---
+id: service-accounts
+title: Service Accounts
+description: Service accounts allow you to create access keys that can be used in scripts or automation.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+A service account allows you to create [access keys](/docs/manage/security/access-keys/) for processes that run Sumo Logic APIs. You can use a service account to create multiple access keys. Because access keys in a service account are not tied to an individual user, they can continue to be used even if the creator’s user account is deactivated or deleted. Service accounts are an ideal way to ensure continuity of operation for critical services. 
+
+You can use service accounts to provide authentication for operations that use Sumo Logic APIs, such as:
+* API scripts
+* Third party integrations
+* Infrastructure as code (for example, Terraform)
+
+Benefits of using service accounts include:
+* The **Service Accounts** tab, a dedicated page to manage service keys and to reduce their being confused with [personal access keys](/docs/manage/security/access-keys/#from-the-personal-access-keys-tab).
+* Access keys on service accounts can be [scoped](#add-an-access-key-to-a-service-account) with reduced capabilities to reduce impact.
+* There is [audit trail](#audit-logging-for-service-account-activity) for changes to service keys.
+
+:::tip
+You can use the API to create and manage service accounts. See [Service Accounts API](/docs/api/service-accounts/).
+:::
+
+## Prerequisites
+
+Only administrators can create service accounts. If you are unsure whether you are an administrator, you can view your role in **Preferences** (see [Onboarding Checklists](/docs/get-started/onboarding-checklists/)).
+
+## Create a service account
+
+To configure a service account, you must first create the account and then add access keys to it. You can add multiple access keys to each service account. 
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Service Accounts**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Service Accounts**. You can also click the **Go To...** menu at the top of the screen and select **Service Accounts**.
+1. On the **Service Accounts** tab, click **+ Add Service Account**.<br/><img src={useBaseUrl('/img/security/service-accounts-page.png')} alt="Service Accounts tab" style={{border: '1px solid gray'}} width="700"/>
+<br/>The **Add Service Account** window appears.<br/><img src={useBaseUrl('/img/security/add-service-account.png')} alt="Add Service Account window" style={{border: '1px solid gray'}} width="300"/>
+1. **Name**. Enter a name for your service account. Make it descriptive enough so that others will be able to tell what its purpose is.
+1. **Email**. Enter an email to associate with the service account. It should be an email monitored by an organization rather than an email for an individual, so that it is not dependent on use by a single person.
+1. **Roles**. Select the roles to assign to the service account. A service account must have the [role capabilities](/docs/manage/users-roles/roles/role-capabilities) needed to execute the tasks its access keys are needed for.  
+   :::tip
+   You can further limit permissions in the access keys using scope. The scoping of keys allows you to further restrict an access key to a subset of the service account’s assigned role capabilities.
+   :::
+1. Click **Save**.
+1. Proceed to the next section to add access keys to the service account.
+
+### Add an access key to a service account
+
+After you have created a service account, add access keys to the service account. The access keys are tied to the service account. When you create an access key for a service account, ensure that the scope of the key is restricted to only the rights needed for the key. 
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Service Accounts**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Service Accounts**. You can also click the **Go To...** menu at the top of the screen and select **Service Accounts**.
+1. Select a service account.
+1. Click **Add Access Key**.<br/><img src={useBaseUrl('/img/security/service-account-details.png')} alt="Add Access Key button on service account details pane" style={{border: '1px solid gray'}} width="300"/>
+1. The **Add New Access Key** window appears. Add the access key information, including scopes. Follow the steps to add an access key as described in [Create an access key](/docs/manage/security/access-keys/#create-an-access-key). <br/><img src={useBaseUrl('/img/security/create-access-key.png')} alt="Add New Access Key screen" style={{border: '1px solid gray'}} width="500"/>
+1. You can add multiple access keys to the service account.
+
+:::note
+Any access keys you add on a service account appear on the [**Access Keys** tab](/docs/manage/security/access-keys/#from-the-access-keys-tab).
+:::
+
+## Change a service account
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Service Accounts**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Service Accounts**. You can also click the **Go To...** menu at the top of the screen and select **Service Accounts**.
+1. Hover your mouse over a service account and click the three-dot kebab icon to reveal the modification options.<br/><img src={useBaseUrl('/img/security/modify-options-for-service-accounts.png')} alt="Edit a service account" style={{border: '1px solid gray'}} width="700"/>
+
+:::warning
+When a service account is deactivated or deleted, the access keys on the service account are also deactivated or deleted. For more information about deactivation, see [Access Keys deactivation policy](/docs/manage/security/access-keys/#access-keys-deactivation-policy).
+:::
+
+## Change an access key on a service account
+
+To modify only the access keys on a service account (rather than the service account itself), open the service account, hover over an access key, and click the three-dot kebab icon to reveal modification options.
+
+<img src={useBaseUrl('/img/security/edit-access-keys-on-service-account.png')} alt="Edit access keys on a service account" style={{border: '1px solid gray'}} width="300"/>
+
+## Audit logging for service account activity
+
+Service account events are recorded in the Audit Event Index as user events. To search for for service account events, run this query:
+
+```
+_index=sumologic_audit_events _sourceCategory=users
+```
+
+Service account events will return with `subsystem` shown as `serviceAccounts`.
+
+For more information about audit logging, see [Audit Event Index](/docs/manage/security/audit-indexes/audit-event-index/).

sidebars.ts

@@ -1058,6 +1058,7 @@ module.exports = {
         'manage/security/2-step-verification-admins',
         'manage/security/2-step-verification-users',
         'manage/security/access-keys',
+        'manage/security/service-accounts',
         {
           type: 'category',
           label: 'Audit Indexes',
@@ -3097,6 +3098,7 @@ integrations: [
         'api/scan-budget',
         'api/scheduled-views',
         'api/search-job',
+        'api/service-accounts',
         'api/service-allowlist',
         'api/service-map',
         'api/slo-management',