Service Accounts

Note

This feature is currently in private preview. Please open a support request to have this feature enabled in your tenant.

Service accounts are non-interactive user accounts that are not tied to a human user or email address. They can participate in RBAC (similar to users) and inherit permissions based on the groups they belong to and any direct permissions granted to the user account.

You can create API tokens for service accounts and use them for bearer authentication to interact with the Observe APIs.

Together service accounts and service account API tokens enable:

  • Machine to Machine communication for automated scripts, applications, terraform etc

  • Scoped access controls to allow principle of least privilege

  • Ability to periodically rotate tokens for increased security

Usage

Service accounts can currently be created only via the API. The APIs are documented in the Observe API Reference

Prerequisites:

  • Only admins or users with the service account edit permission can manage service accounts and service account tokens.

  • Thus you will need to first obtain an API token with relevant permissions to manage service accounts and tokens:

Create service account

Example request

curl -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer 123456789012 <API_TOKEN>' \
  https://123456789012.observeinc.com/v1/service-accounts \
  -d '{"label":"Test Account"}'

Example response

{"id":"1234","label":"Test Account","disabled":false,...}

View service account

Once created, you can manage the accounts under Workspace settings > Users.

To view using the API:

curl https://123456789012.observeinc.com/v1/service-accounts/1234 \
  -H 'Authorization: Bearer 123456789012 <API_TOKEN>'

Configure RBAC for the service account

By default service accounts will be added to the “Everyone” RBAC group and will have the minimum configured workspace default permissions. Reach out to an admin to configure relevant permissions for the service account.

Create service account token

Example request

curl https://123456789012.observeinc.com/v1/service-accounts/1234/api-tokens \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer 123456789012 <API_TOKEN>' \
  -d '{"label":"app-automation", "lifetimeHours":24}'

Example response

{
  "id": "id-c9eiosswbY7-F2Rrb",
  "disabled": false,
  "expiration": "2025-08-18T23:33:59Z",
  "label": "app-automation",
  "secret": "banjaXOWnG7xzsPBxZU6IS_QGhqim4uc",
  ...
}

The token secret can only be viewed once on creation. Tokens do not automatically renew on use and will expire after the configured lifetime.

Disable service account token

Once created, you can manage the tokens under Workspace settings > Authtokens.

Example request:

curl https://123456789012.observeinc.com/v1/service-accounts/1234/api-tokens/id-c9eiosswbY7-F2Rrb \
  --request PATCH \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer 123456789012 <API_TOKEN>' \
  -d '{"disabled": true}'