A service account can be used to automate management of objects such as dashboards, alerts, etc. A service account can’t perform the UI operations that all user accounts can perform by default. There’s no limit on the number of service accounts that you can create in your organization.
What Are Service Accounts?
Service accounts are used for automating management tasks.
- A service account uses a token to authenticate.
- Each account is automatically added to the Everyone group. If a role is assigned to that group, the service account gets the permissions from that role.
- Service account can be added to any group to get that group’s role (and permissions).
As an administrator, you generate (and revoke, if needed) authentication tokens for the service account. It’s also possible to deactivate a service account completely.
How Service Accounts Work
If you build a service or tool that manages proxies or ingests data, then that tool must authenticate to the Wavefront API.
- Create a service account from the Wavefront UI. The service account name must be unique.
- Assign a role to the account to give the account the permissions it needs. Service accounts can perform get, modify, and delete tasks only if they have the necessary permissions.
Configure your tool to pass the service account credentials (API token) to the Wavefront API.
The tool authenticates seamlessly to the API without embedding secret keys or user credentials in your instance, image, or application code.
You can disable a service account if you temporarily don’t need it, or you can delete the account permanently.
Create a Service Account
Creating a service account is different from creating a user account.
- From the gear icon on the taskbar, select Account Management.
- Click the Service Accounts tab and click Create New Account.
- On the New Service Account page, specify the account details and click Create.
|Account ID||ID of the account. We prefix this ID with sa::.
A service account name must be unique. Wavefront converts service account ID to lower case to avoid confusion that can result from almost identical account names (e.g. Service-1 and service-1). Users can type upper case or lower case.
|Tokens||List of API tokens that the service account can use to authenticate to Wavefront.
|Groups||By default, service accounts are added to the Everyone group and you cannot remove them. If you assign roles to the Everyone group, all the service accounts get the permissions associated with that role. You can also add a service accounts to other groups.|
|Roles||Roles for the service account. Roles are sets of permissions. You can create one or two roles and use those roles only for service accounts.|
|Permissions||Individual permissions assigned to this service account. For example, give the account Proxies permission to interact with proxies or Alerts permissions to retrieve data from alerts.|
After you create the account, you can change its role or group assignment. The process is the same for user accounts and service accounts.
Deactivate or Activate a Service Account
You can temporarily (or permanently) deactivate a service account. When an account is deactivated, none of the corresponding tokens work.
You can activate or deactivate a service account from the Service Accounts page or from the Edit Service Account page.
To activate or deactivate an account from the Service Accounts page:
To activate or deactivate an account from the Edit Service Account page: