Global Service Accounts
Create a Global Service Account
Admins can create a global service account by performing an API call.
Prerequisites
Log in as an Admin user (
ROLE-ADMIN).Retrieve the Sysdig API Token from the Sysdig UI to use with the API.
Create an Account through the API
You can create a global service accounts through the API.
Select one of Sysdig’s pre-configured roles from the list of Available Global Service Accounts Roles.
- Execute the following API call:
### create global service account
POST {{host}}/api/serviceaccounts/
Content-Type: application/json
Authorization: Bearer {{adminToken}}
{
"name": "<SERVICE_NAME>",
"expirationDate": 1731078961000,
"systemRole": "<GLOBAL_SERVICE_ROLE>",
"teamRole": "ROLE_TEAM_NONE"
}
adminToken: User your Sysdig API token.<SERVICE_NAME>: Choose any name you like.<GLOBAL_SERVICE_ROLE>: Use one of the role names from the list of Available Global Service Accounts Roles, for example,ROLE_MANAGE_ACCESS_KEYSorROLE_RUNTIME_INSIGHTSIf successful, the operation will return an API key in the following format:
{
"id": 123456,
"customerId": 123456,
"dateCreated": 1699456696401,
"lastUpdated": 1699456696401,
"expirationDate": 1731078961000,
"name": "<SERVICE_NAME>",
"systemRole": "<GLOBAL_SERVICE_ROLE>",
"teamRole": "ROLE_TEAM_NONE",
"apiKey": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX-XXXX"
}
- The value returned for
apiKeyis the Global Service Account token. Use it as a Bearer token instead of your User API token during Authentication.
`Authorization: Bearer {{apiKey}}`
Available Global Service Accounts Roles
A number of preset global service accounts exist, each with its own set of unique permissions. They include the following:
Runtime Insights
ROLE_RUNTIME_INSIGHTS allows risk spotlight integration. The role contains these permissions:
secure.risk-spotlight-integrations.read
Cloud Ingestion - Okta
ROLE_CLOUDINGESTION_OKTA allows cloud ingestion from Okta. The role contains these permissions:
cloudingestion-okta-ingest.write
Cloud Ingestion - GitHub
ROLE_CLOUDINGESTION_GITHUB allows cloud ingestion from GitHub. The role contains these permissions:
cloudingestion-github-ingest.write
Cloud Ingestion - GCP
ROLE_CLOUDINGESTION_GCP allows cloud ingestion from GCP. The role contains these permissions:
cloudingestion-gcp-ingest.write
Prometheus Remote Write
ROLE_PROM_REMOTE_WRITE allows ingestion of Prometheus remote write metrics. The role contains these permissions:
ingest.prws
Access Keys
ROLE_MANAGE_ACCESS_KEYS allows you to manage access keys. The role contains these permissions:
access-keys.readaccess-keys.edit
Custom Roles
ROLE_MANAGE_CUSTOM_ROLES allows you to manage custom team roles. The role contains these permissions:
permissions.readcustom-team-roles.readcustom-team-roles.createcustom-team-roles.updatecustom-team-roles.delete
Group Mappings
ROLE_MANAGE_GROUP_MAPPINGS allows you to manage group mappings. The role contains these permissions:
permissions.readcustom-team-roles.readcustom-team-roles.createcustom-team-roles.updatecustom-team-roles.delete
Single Sign On Settings
ROLE_MANAGE_SSO_SETTINGS allows you to manage single sign on settings. The role contains these permissions:
sso-active.editsso.config
User Provisioning
ROLE_USER_PROVISONING allows you to manage users and teams. The role contains these permissions:
customer-teams.readteams.createteams.editteams.deletememberships.readmemberships.editmemberships-roles.editusers.createusers.readusers.editgroup-mappings.readgroup-mappings.edit
User and Zone Provisioning
ROLE_USER_ZONE_PROVISIONING allows you to manage users, teams, and zones. The role contains these permissions:
customer-teams.readteams.createteams.editteams.deletememberships.readmemberships.editmemberships-roles.editusers.createusers.readusers.editgroup-mappings.readgroup-mappings.editzones.readzones.edit
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
