Creating a Service Account

A quick guide on how to create a Service Account using DT Studio or our REST API.

Overview

We will here create a new a new Service Account using either DT Studio or our REST API. Once created, the Service Account is granted membership in the project and provided it a role. Then, a new Key Pair is generated that can be used as credentials for interacting with the REST API.

Prerequisites

  • Service Account Creating, deleting, and interacting with Service Accounts require that your User or existing Service Account has been granted the role of Project Administrator or higher.

New Service Account

The project our new Service Account is created in becomes the owning project. However, this does not provide rights in said project, which must be explicitly granted after creation.

DT Studio
REST API
DT Studio

In DT Studio, navigate to your Project. In the left menu, locate Service Accounts and press Create new Service Account. Give it a name and click Add.

REST API

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts

A request body is not required and will result in a default configuration. A list of all available parameters can be found in our REST API Reference.

Example Usage

Using cURL with a Service Account for authentication, the following example creates a new Service Account with a given name and Basic Auth enabled.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts" \
-u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
-d '{"displayName": "my-new-service-account", "enableBasicAuth": true}'

New Project Membership

Your new Service Account is now active but does not have permissions in any projects. We will now give it membership in the project, including a role and other configurations.

DT Studio
REST API
DT Studio

Click on your new Service Account. This will take you to the configuration page where the following details are presented. Edit as desired.

  • Service Account Email An automatically generated email used for both authentication and access rights management in other projects and organizations. Can not be edited.

  • Role in the current project Controls which permissions are granted in the current project. You can find a list of all permissions per role on our Managing Access Rights page.

  • Enable Basic Auth The simplest method for authenticating the REST API. While we recommend using an OAuth2 flow, Basic Auth can be handy for quick prototyping and single calls.

REST API

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/members

A request body with the following parameters is required.

{
"roles": [
"roles/<ROLE>"
// See [Managing Access Rights] for a list of all roles.
],
"email": "<SERVICE_ACCOUNT_EMAIL>"
}

A list of all available parameters can be found in our REST API Reference.

Example Usage

Using cURL with a Service Account for authentication, the following example grants the role of Project Developer to a Service Account specified by its email.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/members" \
-u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
-d '{"roles": ["roles/project.developer"], "email": "<SERVICE_ACCOUNT_EMAIL>"}'

Generating Keys

The last step is to create a key. Remember that while the generated Key ID will always be listed under your Service Account, the secret will be shown only once, so make sure to write it down.

DT Studio
REST API
DT Studio

In your Service Account configuration page, click Create New next to Active Keys. The pop-up dialog contains the newly created Key ID and secret.

REST API

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT>/keys

No request body should be provided will the request. However, the response contains both the Key ID and secret. Remember to write the secret down.

{
"key": {
"name": "projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys/<KEY_ID>",
"id": "<KEY_ID>",
"createTime": "2021-02-16T11:09:16.240828Z"
},
"secret": "<SECRET>"
}

Example Usage

Using cURL with a Service Account for authentication, the following example generates a new key for the specified Service Account.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys" \
--user "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>"

Using Your Service Account

The Service Account creation is now complete and you may use it to