Global Service Accounts

Global service accounts are an extension of team-based service acounts. Unlike team-based service accounts, global service accounts can perform actions that require system level permissions. To restrict the risk involved in granting system permissions, global service accounts are packaged in specific roles. Each role has only the permissions needed to perform a specific task, such as managing access keys, or ingesting Prometheus remote write metric. Admins can create a global service account through the API by generating a bearer token.

Create a Global Service Account

Admins can create a global service account by performing an API call.

Prerequisites

Create an Account through the API

You can create a global service accounts through the API.

Select one of Sysdig’s pre-configured roles from the list of Available Global Service Accounts Roles.

  1. Execute the following API call:
### create global service account
POST {{host}}/api/serviceaccounts/
Content-Type: application/json
Authorization: Bearer {{adminToken}}

{
    "name": "<SERVICE_NAME>",
    "expirationDate": 1731078961000,
    "systemRole": "<GLOBAL_SERVICE_ROLE>",
    "teamRole": "ROLE_TEAM_NONE"
}
  • adminToken: User your Sysdig API token.

  • <SERVICE_NAME>: Choose any name you like.

  • <GLOBAL_SERVICE_ROLE>: Use one of the role names from the list of Available Global Service Accounts Roles, for example, ROLE_MANAGE_ACCESS_KEYS or ROLE_RUNTIME_INSIGHTS

    If successful, the operation will return an API key in the following format:

{
    "id": 123456,
    "customerId": 123456,
    "dateCreated": 1699456696401,
    "lastUpdated": 1699456696401,
    "expirationDate": 1731078961000,
    "name": "<SERVICE_NAME>",
    "systemRole": "<GLOBAL_SERVICE_ROLE>",
    "teamRole": "ROLE_TEAM_NONE",
    "apiKey": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX-XXXX"
}
  1. The value returned for apiKey is the Global Service Account token. Use it as a Bearer token instead of your User API token during Authentication.
`Authorization: Bearer {{apiKey}}`

Available Global Service Accounts Roles

A number of preset global service accounts exist, each with its own set of unique permissions. They include the following:

Runtime Insights

ROLE_RUNTIME_INSIGHTS allows risk spotlight integration. The role contains these permissions:

  • secure.risk-spotlight-integrations.read

Cloud Ingestion - Okta

ROLE_CLOUDINGESTION_OKTA allows cloud ingestion from Okta. The role contains these permissions:

  • cloudingestion-okta-ingest.write

Cloud Ingestion - Github

ROLE_CLOUDINGESTION_GITHUB allows cloud ingestion from Github. The role contains these permissions:

  • cloudingestion-github-ingest.write

Cloud Ingestion - GCP

ROLE_CLOUDINGESTION_GCP allows cloud ingestion from GCP. The role contains these permissions:

  • cloudingestion-gcp-ingest.write

Prometheus Remote Write

ROLE_PROM_REMOTE_WRITE allows ingestion of Prometheus remote write metrics. The role contains these permissions:

  • ingest.prws

Access Keys

ROLE_MANAGE_ACCESS_KEYS allows you to manage access keys. The role contains these permissions:

  • access-keys.read
  • access-keys.edit

Custom Roles

ROLE_MANAGE_CUSTOM_ROLES allows you to manage custom team roles. The role contains these permissions:

  • permissions.read
  • custom-team-roles.read
  • custom-team-roles.create
  • custom-team-roles.update
  • custom-team-roles.delete

Group Mappings

ROLE_MANAGE_GROUP_MAPPINGS allows you to manage group mappings. The role contains these permissions:

  • permissions.read
  • custom-team-roles.read
  • custom-team-roles.create
  • custom-team-roles.update
  • custom-team-roles.delete

Single Sign On Settings

ROLE_MANAGE_SSO_SETTINGS allows you to manage single sign on settings. The role contains these permissions:

  • sso-active.edit
  • sso.config

User Provisioning

ROLE_USER_PROVISONING allows you to manage users and teams. The role contains these permissions:

  • customer-teams.read
  • teams.create
  • teams.edit
  • teams.delete
  • memberships.read
  • memberships.edit
  • memberships-roles.edit
  • users.create
  • users.read
  • users.edit
  • group-mappings.read
  • group-mappings.edit

User and Zone Provisioning

ROLE_USER_ZONE_PROVISIONING allows you to manage users, teams, and zones. The role contains these permissions:

  • customer-teams.read
  • teams.create
  • teams.edit
  • teams.delete
  • memberships.read
  • memberships.edit
  • memberships-roles.edit
  • users.create
  • users.read
  • users.edit
  • group-mappings.read
  • group-mappings.edit
  • zones.read
  • zones.edit