Global Service Accounts
Create a Global Service Account
Admins can create a global service account by performing an API call.
Prerequisites
Log in as an Admin user (
ROLE-ADMIN
).Retrieve the Sysdig API Token from the Sysdig UI to use with the API.
Create an Account through the API
You can create a global service accounts through the API.
Select one of Sysdig’s pre-configured roles from the list of Available Global Service Accounts Roles.
- Execute the following API call:
### create global service account
POST {{host}}/api/serviceaccounts/
Content-Type: application/json
Authorization: Bearer {{adminToken}}
{
"name": "<SERVICE_NAME>",
"expirationDate": 1731078961000,
"systemRole": "<GLOBAL_SERVICE_ROLE>",
"teamRole": "ROLE_TEAM_NONE"
}
adminToken
: User your Sysdig API token.<SERVINCE_NAME>
: Choose any name you like.<GLOBAL_SERVICE_ROLE>
: Use one of the role names from the list of Available Global Service Accounts Roles, for example,ROLE_MANAGE_ACCESS_KEYS
orROLE_RUNTIME_INSIGHTS
If successful, the operation will return an API key in the following format:
{
"id": 123456,
"customerId": 123456,
"dateCreated": 1699456696401,
"lastUpdated": 1699456696401,
"expirationDate": 1731078961000,
"name": "<SERVICE_NAME>",
"systemRole": "<GLOBAL_SERVICE_ROLE>",
"teamRole": "ROLE_TEAM_NONE",
"apiKey": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX-XXXX"
}
- The value returned for
apiKey
is the Global Service Account token. Use it as a Bearer token instead of your User API token during Authentication.
`Authorization: Bearer {{apiKey}}`
Available Global Service Accounts Roles
A number of preset global service accounts exist, each with its own set of unique permissions. They include the following:
Runtime Insights
ROLE_RUNTIME_INSIGHTS
allows risk spotlight integration. The role contains these permissions:
secure.risk-spotlight-integrations.read
Cloud Ingestion - Okta
ROLE_CLOUDINGESTION_OKTA
allows cloud ingestion from Okta. The role contains these permissions:
cloudingestion-okta-ingest.write
Cloud Ingestion - Github
ROLE_CLOUDINGESTION_GITHUB
allows cloud ingestion from Github. The role contains these permissions:
cloudingestion-github-ingest.write
Cloud Ingestion - GCP
ROLE_CLOUDINGESTION_GCP
allows cloud ingestion from GCP. The role contains these permissions:
cloudingestion-gcp-ingest.write
Prometheus Remote Write
ROLE_PROM_REMOTE_WRITE
allows ingestion of Prometheus remote write metrics. The role contains these permissions:
ingest.prws
Access Keys
ROLE_MANAGE_ACCESS_KEYS
allows you to manage access keys. The role contains these permissions:
access-keys.read
access-keys.edit
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.