Creating a Service Account

A quick guide on how to create a Service Account using DT Studio or our REST API.

Overview

We will here create a new a new Service Account using either DT Studio or our REST API. Once created, the Service Account is granted membership in the project and provided it a role. Then, a new Key Pair is generated as credentials for interacting with the REST API.

Prerequisites

Service Account Creating, deleting, and interacting with Service Accounts require that your User or existing Service Account has been granted the role of Project Administrator or higher.

New Service Account

The project our new Service Account is created in becomes the owning project. However, this does not provide rights in said project, which must be explicitly granted after creation.

In DT Studio, navigate to your Project. In the left menu, locate Service Accounts and press Create new Service Account. Give it a name and click Add.

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts

A request body is not required and will result in a default configuration. A list of all available parameters can be found in our REST API Reference.

Example Usage

Using cURL with a Service Account for authentication, the following example creates a new Service Account with a given name and Basic Auth enabled.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts" \
    -u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
    -d '{"displayName": "my-new-service-account", "enableBasicAuth": true}'

Once the package is installed and authenticated as described in the Python API Reference, a new Service Account can be created by calling the following resource method.

disruptive.ServiceAccount.create_service_account()

Example Usage

Using our Python API with Service Account credentials for authentication, the following example creates a new Service Account with a given name and Basic Auth enabled.

import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Create a new Service Account in the specified project.
new_sa = dt.ServiceAccount.create_service_account(
    project_id='<PROJECT_ID>',
    display_name='my-new-service-account',
    basic_auth_enabled=True,
)

# Print the newly created Service Account.
print(new_sa)

New Project Membership

Your new Service Account is now active but does not have permissions in any projects. We will now give it membership in the project, including a role and other configurations.

Click on your new Service Account. This will take you to the configuration page, where the following details are presented. Edit as desired.

Service Account Email An automatically generated email is used for both authentication and access rights management in other projects and organizations. This can not be edited.
Role in the current project Controls which permissions are granted in the current project. You can find a list of all permissions per role on our Managing Access Rights page.
Enable Basic Auth The simplest method for authenticating the REST API. While we recommend using an OAuth2 flow, Basic Auth can be handy for quick prototyping and single calls.

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/members

A request body with the following parameters is required.

{
    "roles": [
        "roles/<ROLE>"
        // See [Managing Access Rights] for a list of all roles.
    ],
    "email": "<SERVICE_ACCOUNT_EMAIL>"
}

A list of all available parameters can be found in our REST API Reference.

Example Usage

Using cURL with a Service Account for authentication, the following example grants the role of Project Developer to a Service Account specified by its email.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/members" \
    -u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
    -d '{"roles": ["roles/project.developer"], "email": "<SERVICE_ACCOUNT_EMAIL>"}'

Once the package is installed and authenticated as described in the Python API Reference, a Service Account can be granted a project role by calling the following resource method.

disruptive.Project.add_member()

The same call exists for an organization under disruptive.Organization.add_member().

Example Usage

Using our Python API with Service Account credentials for authentication, the following example grants the role of Project Developer to a Service Account specified by its email.

import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Grant Service Account membership in the specified project.
member = dt.Project.add_member(
    project_id='<PROJECT_ID>',
    email='<SERVICE_ACCOUNT_EMAIL>',
    roles=[dt.Role.PROJECT_DEVELOPER],
)

# Print the updated member.
print(member)

Generating Keys

The last step is to create a key. Remember that while the generated Key ID will always be listed under your Service Account, the secret will be shown only once, so make sure to write it down.

On your Service Account configuration page, click Create New next to Active Keys. The pop-up dialog contains the newly created Key ID and secret.

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT>/keys

No request body should be provided will the request. However, the response contains both the Key ID and secret. Remember to write the secret down.

{
  "key": {
    "name": "projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys/<KEY_ID>",
    "id": "<KEY_ID>",
    "createTime": "2021-02-16T11:09:16.240828Z"
  },
  "secret": "<SECRET>"
}

Example Usage

Using cURL with a Service Account for authentication, the following example generates a new key for the specified Service Account.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys" \
    --user "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>"

Once the package is installed and authenticated as described in the Python API Reference, a new key can be created by calling the following resource method.

disruptive.ServiceAccount.create_key()

Example Usage

Using our Python API with Service Account credentials for authentication, the following example generates a new key for the specified Service Account.

import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Create a new key for the specified Service Account.
key = dt.ServiceAccount.create_key(
    service_account_id='<SERVICE_ACCOUNT_ID>',
    project_id='<PROJECT_ID>'
)

# Print the newly created Service Account key.
print(key)

Using Your Service Account

The Service Account creation is now complete, and you may use it as desired.

Last updated 1 year ago

New Service Account

The project our new Service Account is created in becomes the owning project. However, this does not provide rights in said project, which must be explicitly granted after creation.

In DT Studio, navigate to your Project. In the left menu, locate Service Accounts and press Create new Service Account. Give it a name and click Add.

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts

A request body is not required and will result in a default configuration. A list of all available parameters can be found in our REST API Reference.

Example Usage

Using cURL with a Service Account for authentication, the following example creates a new Service Account with a given name and Basic Auth enabled.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts" \
    -u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
    -d '{"displayName": "my-new-service-account", "enableBasicAuth": true}'

Once the package is installed and authenticated as described in the Python API Reference, a new Service Account can be created by calling the following resource method.

disruptive.ServiceAccount.create_service_account()

Example Usage

Using our Python API with Service Account credentials for authentication, the following example creates a new Service Account with a given name and Basic Auth enabled.

import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Create a new Service Account in the specified project.
new_sa = dt.ServiceAccount.create_service_account(
    project_id='<PROJECT_ID>',
    display_name='my-new-service-account',
    basic_auth_enabled=True,
)

# Print the newly created Service Account.
print(new_sa)

New Project Membership

Your new Service Account is now active but does not have permissions in any projects. We will now give it membership in the project, including a role and other configurations.

Click on your new Service Account. This will take you to the configuration page, where the following details are presented. Edit as desired.

Service Account Email An automatically generated email is used for both authentication and access rights management in other projects and organizations. This can not be edited.
Role in the current project Controls which permissions are granted in the current project. You can find a list of all permissions per role on our Managing Access Rights page.
Enable Basic Auth The simplest method for authenticating the REST API. While we recommend using an OAuth2 flow, Basic Auth can be handy for quick prototyping and single calls.

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/members

A request body with the following parameters is required.

{
    "roles": [
        "roles/<ROLE>"
        // See [Managing Access Rights] for a list of all roles.
    ],
    "email": "<SERVICE_ACCOUNT_EMAIL>"
}

A list of all available parameters can be found in our REST API Reference.

Example Usage

Using cURL with a Service Account for authentication, the following example grants the role of Project Developer to a Service Account specified by its email.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/members" \
    -u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
    -d '{"roles": ["roles/project.developer"], "email": "<SERVICE_ACCOUNT_EMAIL>"}'

Once the package is installed and authenticated as described in the Python API Reference, a Service Account can be granted a project role by calling the following resource method.

disruptive.Project.add_member()

The same call exists for an organization under disruptive.Organization.add_member().

Example Usage

Using our Python API with Service Account credentials for authentication, the following example grants the role of Project Developer to a Service Account specified by its email.

import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Grant Service Account membership in the specified project.
member = dt.Project.add_member(
    project_id='<PROJECT_ID>',
    email='<SERVICE_ACCOUNT_EMAIL>',
    roles=[dt.Role.PROJECT_DEVELOPER],
)

# Print the updated member.
print(member)

Generating Keys

The last step is to create a key. Remember that while the generated Key ID will always be listed under your Service Account, the secret will be shown only once, so make sure to write it down.

On your Service Account configuration page, click Create New next to Active Keys. The pop-up dialog contains the newly created Key ID and secret.

Send a POST request to:

https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT>/keys

No request body should be provided will the request. However, the response contains both the Key ID and secret. Remember to write the secret down.

{
  "key": {
    "name": "projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys/<KEY_ID>",
    "id": "<KEY_ID>",
    "createTime": "2021-02-16T11:09:16.240828Z"
  },
  "secret": "<SECRET>"
}

Example Usage

Using cURL with a Service Account for authentication, the following example generates a new key for the specified Service Account.

curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys" \
    --user "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>"

Once the package is installed and authenticated as described in the Python API Reference, a new key can be created by calling the following resource method.

disruptive.ServiceAccount.create_key()

Example Usage

Using our Python API with Service Account credentials for authentication, the following example generates a new key for the specified Service Account.

import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Create a new key for the specified Service Account.
key = dt.ServiceAccount.create_key(
    service_account_id='<SERVICE_ACCOUNT_ID>',
    project_id='<PROJECT_ID>'
)

# Print the newly created Service Account key.
print(key)