Service accounts are used by applications, scripts, or services to interact with the Cloud Security platform. They enable the execution of automated tasks, access to databases, and the performance of specific processes without direct user intervention.
Functionalities
- Key-based authentication: unlike basic users that use a password and MFA to authenticate, service accounts authenticate to APIs using a pair of credentials (Client ID and Client Secret).
- Multiple key management: a single service account can have multiple active access keys, enabling safe rotation without downtime.
- Principle of Least Privilege: permissions are assigned directly to the service account through specific roles, ensuring that each account performs only actions permitted by its role and restricting unauthorized access to other APIs.
- Auditable actions: all actions performed by a service account via API are recorded in the audit reports, ensuring compliance with security policies.
- Management permissions: only tenant administrators can create, edit, disable, or delete service accounts, ensuring centralized control.
Security and lifecycle
- One-time secret visibility: for security reasons, the client secret is displayed only once upon the creation of an access key. If a secret is lost, the administrator must generate a new access key.
- State management: service accounts can be temporarily disabled without being deleted. Disabling a service account immediately revokes API access for all of its active keys.
- Tenant isolation: a service account can only interact with the specific tenant where it was created. It cannot view, access, or modify data in any other tenant.
Roles
Service accounts within Cloud Security can have different roles, which determine their access and responsibilities. When creating a service account, you must define the roles that will dictate its permission level. These roles apply to all active access keys generated for that account.
| Role | Product | Description |
|---|---|---|
| SCIM Management | Cloud Security | Grants access to the SCIM 2.0 API endpoints, allowing automated provisioning, querying, updating, and deactivation of platform users. More information in About user provisioning with SCIM 2.0. |
| Certificate Discovery | Certificate Manager | Access to perform certificate discovery. More information in About Domain discovery. |