Docs

How-to: Managing service accounts

Learn how to modify service account settings, manage API keys, and control resource access.

Suggest Edits

Before you begin

Ensure that:

  • You have the Owner role in your organization
  • You understand how changes may affect automated processes

All of the operations described below take place on the "Service accounts" page in the Cast AI console:

  1. Navigate to Service Accounts

    • Select "Manage organization" at the top of the Cast AI console:

      • In the organization profile view, go to "Access control" > "Service Accounts" in the navigation sidebar on the left-hand side:

Managing API keys

Generate a new API key

  1. Select the service account from the list

  2. Navigate to the "API Keys" tab

  3. Click "Create new API key"

    • Give it a name:

    • Copy and securely store the key, as it won't be shown again:

      You can generate additional keys for the service account later.

Delete an API key

  1. Select the service account from the list

  2. Navigate to the "API Keys" tab

  3. Find the key you want to delete

  4. Click the three dots () menu next to the key and select "Delete access key"

  5. Confirm the deletion

🚧

Warning

Deleting an API key:

  • Takes effect immediately after confirmation
  • Cannot be undone
  • Will break any integrations using that key

Alternatively, an API key can be toggled on or off to manage temporary access and functionality.

Adjusting resource access

Resource access of a service account can be configured at both organization and cluster levels at any time.

🚧

Warning

Modifying the resource access of a service account will automatically change the access of any associated API keys.

Adjust access of a service account

  1. Select the service account from the list

  2. Go to the "Access tab"

Give access to a service account

  1. Click "+ Give access" in the Access tab above the resource list

  2. Set access permissions

    • Choose resource access level:

      • Organization: The service account will have access to all resources
      • Specific clusters: Select individual clusters the service account can access

    • Select a role (access scope):

    • Click "Give access".

Modify existing access level

  1. Use the role dropdown to modify the existing access level to any resources

Changes take effect immediately.

📘

Note

When clusters inherit organization-level access, their individual role dropdowns will be disabled. To set cluster-specific roles, you must first configure "Direct" access to clusters.

Revoking access

To revoke a service account's access to specific resources:

  1. Select the service account

  2. Go to the "Access tab"

  3. Click the three dots () menu for the resource (whether it's a cluster or an organization)

  4. Select "Revoke access"

  5. Confirm the revocation

Assigning to user groups

Service accounts can be managed through user groups just like regular users. You can add them to existing groups or remove them as needed.

Add to user groups

  1. Select the service account from the list

  2. Navigate to the "User groups" tab

  3. Click "+ Assign to user group"

  4. Select one or more groups from the list

  5. Click "Assign" to confirm

📘

Note

When adding a service account to user groups:

  • It will inherit all permissions from the groups
  • Any API keys associated with the service account will gain access based on group permissions
  • The service account can be a member of multiple groups simultaneously

Remove from user groups

  1. Select the service account from the list

  2. Navigate to the "User groups" tab

  3. Find the group you want to remove the service account from

  4. Click the three dots () menu for the user group and select "Remove from the group"

  5. Confirm the removal

🚧

Warning

Removing a service account from a user group:

  • Takes effect immediately
  • May affect access to resources if the account had no direct access configured
  • Will impact any API keys using permissions inherited from the group

Removing a service account

🚧

Warning

Removing a service account:

  • Immediately revokes all access
  • Invalidates all API keys
  • Cannot be undone
  • Will break any integrations using the account

To remove a service account:

  1. Choose the service account from the list

  2. Click the three dots () menu next to the chosen key

  3. Select "Remove service account"

  4. Confirm deletion

Updated 3 days ago

What’s Next