Service Account

Service account is a specialized type of identity account used by services, applications, and automated processes to interact with PDS APIs in a secure and controlled manner.

Advantages of Service account

Service account are used in applications and systems to access resources and perform tasks. Here's how to use service accounts:

• Authenticate: Service accounts authenticate themselves using API keys, tokens, or other credentials.
• Authorization: Service accounts are authorized to access specific resources or perform certain actions based on defined permissions.
• Interactions: Service accounts interact with other services or APIs to perform tasks, retrieve data, or update resources.
• Secure communication: Service account uses JSON Web Token (JWT) tokens along with Transport Layer Security (TLS) to communicate with other services.

Service accounts are important for establishing robust safeguards for service and API key access in the following ways:

Enhanced security

• Reduced attack surface: When services use dedicated service accounts, it reduces the attack surface compared to sharing a common user account. Breaching a single service account does not automatically grant access to other systems, as each account has its own set of permissions.
• Credential management: Service accounts use secure credentials, such as API keys, tokens, or certificates, which are typically stored and managed securely. This reduces the risk of credentials being exposed and used maliciously.

Audit and monitoring

Service accounts make it easier to audit and monitor activities. Each service account's actions are logged separately, providing detailed visibility into who or what is performing which operations. This is crucial for compliance and security monitoring.

Simplified revocation and rotation

• Revocation: When a service or application no longer requires access to specific resources, its service account can be easily revoked, rendering the associated credentials useless. This is more efficient and secure than having to change the credentials of a shared user account.
• Rotation: Service account credentials can be regularly rotated for security reasons. Automated processes make it easier to update and manage these credentials in an organized manner.

API access control

Service accounts often come with access controls that allow organizations to specify which APIs or endpoints they can access. This ensures that the service account can interact only with the necessary parts of a system.

Create a service account

To create a service account:

Use the Service account API to create a service account, which represents a specific application or service that requires controlled access.

Use the following endpoint to create a service-account for a specific tenant resource:

/core/v1/tenants/{tenantId}/serviceAccounts

This is the URL endpoint where you will send an HTTP request to create a service account. The {tenantId} placeholder in the URL should be replaced with the actual identifier of the tenant for which you want to create a service account. For example, if the tenant ID is 123, the URL would be /core/v1/tenants/123/serviceAccounts/.

The request body is a JSON object containing details about the service account you want to create:

{
  "description": "string",
  "enabled": true,
  "name": "string"
}

where:

• description (string): A brief explanation of the service account. It helps provide context for what this service account is for.
• enabled (boolean): Indicates whether the service account is enabled or not. If set to true, it means the service account is active and can be used for its intended purpose. If set to false, it may be temporarily disabled without deleting it, which can be useful for managing access.
• name (string): Specifies the name of the service account. It can be a unique identifier for the service account and can be used to reference or identify it within your system.

Generate access token from service account

To generate access token from service account:

Using the client ID and client token associated with the service account, generate a JWT token. This token will be used for authenticating the service account.

Use the following endpoint to generate a JWT (JSON Web Token) for a service account:

/core/v1/tenants/{tenantId}:getToken

This is the URL endpoint where you will send an HTTP request to generate a JWT token for a service account. The endpoint is specifically designed for creating tokens, and it does not require a dynamic identifier (for example, user or account ID) in the URL.

The request body is a JSON object that contains the details necessary to generate the JWT token:

{
"client_id": "string",
  	"client_token": "string"
}

where:

• client_id (string): The unique client identifier or ID associated with the service account for which you want to generate a JWT token. This identifier is used to link the token to a specific service account.
• client_token (string): A secret or key associated with the service account. It serves as a shared secret between the client (in this case, the service account) and the authentication system generating the JWT token. The client token is used to sign the token, ensuring its authenticity and integrity.

The JWT token can be used by the service account to authenticate itself with other services or APIs that recognize and validate JWT tokens.

Best practices

When working with service accounts, consider these best practices:

• Follow the principle of least privilege: Grant the minimum permissions necessary for the service to perform its tasks.
• Securely store and manage service account credentials to prevent unauthorized access.
• Implement logging and auditing to track service account activities for security and compliance.
• Use secure communication protocols like HTTPS to protect credentials and data in transit.
• Regularly review and update permissions to ensure they remain aligned with the service's requirements.
• Rotate service account credentials periodically for improved security.
• Educate your team on security best practices and the use of service accounts.

Service accounts play a critical role in modern application development and security, enabling secure, automated, and controlled interactions between services and components. Understanding and implementing best practices is essential for maintaining a robust and secure system.

User account versus user API keys versus service account

• User account: User accounts represent individual users and their access permissions. They are associated with human-readable usernames, passwords, and sometimes additional information such as email addresses and roles.
• User API keys: These are typically associated with user accounts and grant access based on the user's permissions. User API keys are used for user-specific tasks and are tied to a specific user account.
• Service account: Service accounts represent applications, services, or components. They are used for programmatic access to resources and are typically associated with API keys or tokens. Service accounts lack the human-specific attributes of user accounts and are designed for machine-to-machine communication.