|
1 | | -# Service accounts |
| 1 | +# Service Accounts |
2 | 2 |
|
3 | | -<TierCallout> |
4 | | - Supported on [Enterprise](/pricing/enterprise) plans. |
5 | | - <user> |
6 | | - Available via the Web app. |
7 | | - </user> |
8 | | -</TierCallout> |
| 3 | +Service accounts are specialized user accounts designed for automation, API integrations, and programmatic access to Sourcegraph, as opposed to using access tokens from regular users. Unlike regular user accounts, service accounts don't require an email address or password and cannot access the Sourcegraph UI. They are specifically intended for automated workflows, CI/CD pipelines, scripts, and other non-human access patterns. Service accounts also don't count towards the user limit and won't be part of any billing cycles. |
9 | 4 |
|
10 | | -Service accounts in Sourcegraph are special types of accounts designed for automated tasks and integrations. Unlike regular user accounts, service accounts cannot sign into Sourcegraph directly and can only be used through their associated access tokens. |
| 5 | +## Creating Service Accounts |
11 | 6 |
|
12 | | -## What are service accounts? |
| 7 | +Service accounts are created like regular user accounts, but with a few key differences. |
13 | 8 |
|
14 | | -Service accounts are non-human accounts that enable: |
| 9 | +- Go to **Site admin** → **Users & auth** → **Users** |
| 10 | +- Click **Create User** |
| 11 | +- Enter a descriptive **Username** (e.g., `ci-automation`, `api-integration`) |
| 12 | +- Check the **Service account** checkbox |
| 13 | +- Click **Create service account** |
15 | 14 |
|
16 | | -- **Automated operations**: Run scripts, CI/CD pipelines, or other automated processes that interact with Sourcegraph |
17 | | -- **API integrations**: Build applications that need to access Sourcegraph programmatically |
18 | | -- **Secure token management**: Create dedicated tokens for specific purposes without using personal user accounts |
| 15 | +You'll be presented with some next steps you might want to take, like creating an access token, managing and assigning roles, and managing repository permissions. |
19 | 16 |
|
20 | | -Key characteristics of service accounts: |
| 17 | +- Service accounts are automatically assigned the "Service Account" system role |
| 18 | +- They appear in the user list with "Service account" type designation |
21 | 19 |
|
22 | | -- **Cannot sign in**: Service accounts cannot access the Sourcegraph web interface directly |
23 | | -- **Token-based access only**: All operations must be performed using access tokens |
24 | | -- **No user seat usage**: Service accounts don't count toward your user seat limit and won't affect billing |
25 | | -- **RBAC compatible**: Can be assigned custom roles and permissions like regular users |
| 20 | +## Managing Access Tokens |
26 | 21 |
|
27 | | -## Why use service accounts? |
| 22 | +Service accounts authenticate using access tokens rather than passwords. For detailed information about creating, managing, and using access tokens, see: |
28 | 23 |
|
29 | | -Service accounts provide several advantages over using personal user accounts for automated tasks: |
| 24 | +- [Creating an access token](/cli/how-tos/creating_an_access_token) |
| 25 | +- [Managing access tokens](/cli/how-tos/managing_access_tokens) |
| 26 | +- [Revoking an access token](/cli/how-tos/revoking_an_access_token) |
30 | 27 |
|
31 | | -### Security benefits |
32 | | -- **Isolated permissions**: Scope access to only what's needed for specific automation tasks |
33 | | -- **No human login**: Eliminates risk of compromised human credentials affecting automation |
34 | | -- **Audit trail**: Clearly identify automated vs. human actions in logs and audit trails |
| 28 | +Use service account access tokens to access Sourcegraph's [GraphQL API](/api/graphql). |
35 | 29 |
|
36 | | -### Management benefits |
37 | | -- **Independent lifecycle**: Service accounts persist even if team members leave or change roles |
38 | | -- **Dedicated purpose**: Each service account can be tailored for specific use cases |
39 | | -- **No billing impact**: Unlimited service accounts without affecting user seat counts |
| 30 | +## Role-Based Access Control (RBAC) |
40 | 31 |
|
41 | | -### Common use cases |
42 | | -- **CI/CD pipelines**: Automate code analysis, search operations, or batch changes |
43 | | -- **Monitoring and alerting**: Create dashboards or alerts based on Sourcegraph data |
44 | | -- **Data integration**: Sync repository data with external systems |
45 | | -- **Batch operations**: Perform bulk operations across multiple repositories |
| 32 | +Service accounts integrate with Sourcegraph's [role-based access control](/admin/access_control) to provide fine-grained permission control. |
46 | 33 |
|
47 | | -## Creating service accounts |
| 34 | +### System Roles |
48 | 35 |
|
49 | | -To create a service account: |
| 36 | +Service accounts are automatically assigned the **Service Account** system role, which provides basic API access permissions and standard search capabilities. The **Service Account** system role is applied to all service accounts and can be used to provide service accounts with a default set of permissions. For more specialized service accounts, it is recommended to create custom roles and assign them to service accounts as needed. |
50 | 37 |
|
51 | | -1. Navigate to **Site admin > Users & auth > Service accounts** |
52 | | -2. Click **+ Create service account** |
53 | | -3. Provide a descriptive name for the service account |
54 | | -4. Optionally add a description explaining its purpose |
55 | | -5. Click **Create** |
| 38 | +### Managing Roles |
56 | 39 |
|
57 | | -> NOTE: Only site administrators can create and manage service accounts. |
| 40 | +Administrators can assign additional roles to service accounts through the user management interface. For detailed information on managing roles and permissions, see: |
58 | 41 |
|
59 | | -## Managing access tokens |
| 42 | +- [Managing roles and permissions](/admin/access_control#managing-roles-and-permissions) |
| 43 | +- [Managing user roles](/admin/access_control#managing-user-roles) |
| 44 | +- [Creating custom roles](/admin/access_control#creating-a-new-role-and-assigning-it-permissions) |
60 | 45 |
|
61 | | -Once you've created a service account, you'll need to create access tokens for it to perform operations: |
| 46 | +## Repository Permissions |
62 | 47 |
|
63 | | -### Creating access tokens |
| 48 | +Service accounts respect repository permissions and access controls. For comprehensive information about repository permissions, see the [Repository permissions](/admin/permissions) documentation. |
64 | 49 |
|
65 | | -1. From the service accounts list, click on the service account you want to create a token for |
66 | | -2. In the **Access tokens** section, click **+ Generate new token** |
67 | | -3. Provide a descriptive name for the token |
68 | | -4. Set an expiration date (recommended for security) |
69 | | -5. Click **Generate token** |
70 | | -6. **Important**: Copy the token immediately - it will not be shown again |
71 | | - |
72 | | -### Token security best practices |
73 | | - |
74 | | -- **Use descriptive names**: Clearly identify what each token is used for |
75 | | -- **Set expiration dates**: Regularly rotate tokens by setting reasonable expiration periods |
76 | | -- **Limit scope**: Assign minimal necessary permissions to the service account |
77 | | -- **Secure storage**: Store tokens securely in your automation systems (environment variables, secret managers) |
78 | | -- **Monitor usage**: Review access logs to ensure tokens are being used appropriately |
79 | | - |
80 | | -## Permissions and role-based access control |
81 | | - |
82 | | -Service accounts can be assigned custom roles just like regular users, enabling fine-grained permission control. |
83 | | - |
84 | | -### Assigning roles |
85 | | - |
86 | | -1. Navigate to **Site admin > Users & auth > Users** |
87 | | -2. Find the service account in the user list |
88 | | -3. Click the triple dots to open the context menu |
89 | | -4. Select **Manage roles** |
90 | | -5. Assign or remove roles as needed |
91 | | -6. Click **Update** to save changes |
92 | | - |
93 | | -### Permission scoping |
94 | | - |
95 | | -Use RBAC to limit service account permissions: |
96 | | - |
97 | | -- **Batch Changes**: Control whether the service account can create, modify, or execute batch changes |
98 | | -- **Repository access**: Combine with [repository permissions](/admin/permissions/) to limit which repositories the service account can access |
99 | | -- **Custom roles**: Create specific roles tailored to your automation needs |
100 | | - |
101 | | -Example role configurations: |
102 | | -- **CI/CD Service**: Read-only access to repositories, can trigger searches |
103 | | -- **Batch Change Automation**: Can create and execute batch changes on specific repositories |
104 | | -- **Monitoring Service**: Read-only access for generating reports and dashboards |
105 | | - |
106 | | -## API usage with service accounts |
107 | | - |
108 | | -Service accounts work with all Sourcegraph APIs using their access tokens: |
109 | | - |
110 | | -### GraphQL API |
111 | | -```bash |
112 | | -curl -H "Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>" \ |
113 | | - -H "Content-Type: application/json" \ |
114 | | - -d '{"query": "{ currentUser { username } }"}' \ |
115 | | - https://your-sourcegraph-instance.com/.api/graphql |
116 | | -``` |
117 | | - |
118 | | -### REST APIs |
119 | | -```bash |
120 | | -curl -H "Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>" \ |
121 | | - https://your-sourcegraph-instance.com/.api/search/stream?q=test |
122 | | -``` |
123 | | - |
124 | | -## Monitoring service account activity |
125 | | - |
126 | | -Track service account usage through: |
127 | | - |
128 | | -- **Audit logs**: All service account actions are logged with clear identification |
129 | | -- **Security event logs**: Monitor for unusual access patterns or failures |
130 | | -- **Access token usage**: Review when tokens were last used and from where |
131 | | - |
132 | | -## Troubleshooting |
133 | | - |
134 | | -### Common issues |
135 | | - |
136 | | -**Service account token not working** |
137 | | -- Verify the token hasn't expired |
138 | | -- Check that the service account has the necessary permissions |
139 | | -- Ensure the token is being passed correctly in API requests |
140 | | - |
141 | | -**Permission denied errors** |
142 | | -- Review the service account's assigned roles |
143 | | -- Check repository-level permissions if accessing specific repositories |
144 | | -- Verify the required permissions are included in the service account's roles |
145 | | - |
146 | | -**Token generation fails** |
147 | | -- Ensure you have site administrator privileges |
148 | | -- Check that the service account exists and is active |
149 | | -- Verify there are no conflicting token names |
150 | | - |
151 | | -## Best practices |
152 | | - |
153 | | -1. **Use meaningful names**: Name service accounts and tokens descriptively (e.g., `ci-batch-changes`, `monitoring-dashboard`) |
154 | | -2. **Regular token rotation**: Set expiration dates and rotate tokens periodically |
155 | | -3. **Minimal permissions**: Grant only the permissions necessary for each use case |
156 | | -4. **Monitor and audit**: Regularly review service account activity and permissions |
157 | | -5. **Document usage**: Keep records of what each service account is used for and by which systems |
158 | | -6. **Secure token storage**: Never commit tokens to code repositories; use secure secret management |
| 50 | +Service accounts cannot have external service accounts. If service accounts need access to private repositories, they must explicitly be granted access to those repositories. This can be done from the service account's user settings page, under the **Repo permissions** tab, or via [the GraphQL API](/admin/permissions/api#explicit-permissions-api). |
0 commit comments