Creating a Service Account

A quick guide on how to create a Service Account using DT Studio or our REST API.
Overview
We will here create a new a new Service Account using either DT Studio or our REST API. Once created, the Service Account is granted membership in the project and provided it a role. Then, a new Key Pair is generated as credentials for interacting with the REST API.
Prerequisites
Service Account
Creating, deleting, and interacting with Service Accounts require that your User or existing Service Account has been granted the role of Project Administrator or higher.
New Service Account
The project our new Service Account is created in becomes the owning project. However, this does not provide rights in said project, which must be explicitly granted after creation.
DT Studio
REST API
Python API
In DT Studio, navigate to your Project. In the left menu, locate Service Accounts and press Create new Service Account. Give it a name and click Add.
Send a POST request to:
https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts
A request body is not required and will result in a default configuration. A list of all available parameters can be found in our REST API Reference.
Example Usage
Using cURL with a Service Account for authentication, the following example creates a new Service Account with a given name and Basic Auth enabled.
curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts" \
    -u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
    -d '{"displayName": "my-new-service-account", "enableBasicAuth": true}'
Once the package is installed and authenticated as described in the Python API Reference, a new Service Account can be created by calling the following resource method.
​disruptive.ServiceAccount.create_service_account()​
Example Usage
Using our Python API with Service Account credentials for authentication, the following example creates a new Service Account with a given name and Basic Auth enabled.
import disruptive as dt
​
# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)
​
# Create a new Service Account in the specified project.
new_sa = dt.ServiceAccount.create_service_account(
    project_id='<PROJECT_ID>',
    display_name='my-new-service-account',
    basic_auth_enabled=True,
)
​
# Print the newly created Service Account.
print(new_sa)
New Project Membership
Your new Service Account is now active but does not have permissions in any projects. We will now give it membership in the project, including a role and other configurations.
DT Studio
REST API
Python API
Click on your new Service Account. This will take you to the configuration page, where the following details are presented. Edit as desired.
Service Account Email
An automatically generated email is used for both authentication and access rights management in other projects and organizations. This can not be edited.
Role in the current project
Controls which permissions are granted in the current project. You can find a list of all permissions per role on our Managing Access Rights page.
Enable Basic Auth
The simplest method for authenticating the REST API. While we recommend using an OAuth2 flow, Basic Auth can be handy for quick prototyping and single calls.
Send a POST request to:
https://api.d21s.com/v2/projects/<PROJECT_ID>/members
A request body with the following parameters is required.
{
    "roles": [
        "roles/<ROLE>"
        // See [Managing Access Rights] for a list of all roles.
    ],
    "email": "<SERVICE_ACCOUNT_EMAIL>"
}
A list of all available parameters can be found in our REST API Reference.
Example Usage
Using cURL with a Service Account for authentication, the following example grants the role of Project Developer to a Service Account specified by its email. 
curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/members" \
    -u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
    -d '{"roles": ["roles/project.developer"], "email": "<SERVICE_ACCOUNT_EMAIL>"}'
Once the package is installed and authenticated as described in the Python API Reference, a Service Account can be granted a project role by calling the following resource method.
​disruptive.Project.add_member()​
The same call exists for an organization under disruptive.Organization.add_member().
Example Usage
Using our Python API with Service Account credentials for authentication, the following example grants the role of Project Developer to a Service Account specified by its email.
import disruptive as dt
​
# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)
​
# Grant Service Account membership in the specified project.
member = dt.Project.add_member(
    project_id='<PROJECT_ID>',
    email='<SERVICE_ACCOUNT_EMAIL>',
    roles=[dt.Role.PROJECT_DEVELOPER],
)
​
# Print the updated member.
print(member)
Generating Keys
The last step is to create a key. Remember that while the generated Key ID will always be listed under your Service Account, the secret will be shown only once, so make sure to write it down.
DT Studio
REST API
Python API
On your Service Account configuration page, click Create New next to Active Keys. The pop-up dialog contains the newly created Key ID and secret.
Send a POST request to:
https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT>/keys
No request body should be provided will the request. However, the response contains both the Key ID and secret. Remember to write the secret down.
{
  "key": {
    "name": "projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys/<KEY_ID>",
    "id": "<KEY_ID>",
    "createTime": "2021-02-16T11:09:16.240828Z"
  },
  "secret": "<SECRET>"
}
Example Usage
Using cURL with a Service Account for authentication, the following example generates a new key for the specified Service Account.
curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys" \
    --user "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>"
Once the package is installed and authenticated as described in the Python API Reference, a new key can be created by calling the following resource method.
​disruptive.ServiceAccount.create_key()​
Example Usage
Using our Python API with Service Account credentials for authentication, the following example generates a new key for the specified Service Account.
import disruptive as dt
​
# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)
​
# Create a new key for the specified Service Account.
key = dt.ServiceAccount.create_key(
    service_account_id='<SERVICE_ACCOUNT_ID>',
    project_id='<PROJECT_ID>'
)
​
# Print the newly created Service Account key.
print(key)
​
Using Your Service Account
The Service Account creation is now complete, and you may use it as desired.
​Manage Access Rights in your organization.
​Explore the REST API using cURL.
​Authenticate the REST API with OAuth2.
Service Accounts - Previous
Introduction to Service Accounts
Next - Service Accounts
Managing Access Rights
Last modified 2yr ago