Managing service accounts

Commercial & Enterprise

AI Hub supports creating service accounts, which are AI Hub accounts not tied to a particular member and used only for interacting with the AI Hub API and SDK. Service accounts can be added to groups and workspaces and assigned roles just like a standard member account. Service accounts are commonly used for programmatic interactions, such as triggering runs as part of a continuous development pipeline or performing automated tasks on a set schedule.

Adding service accounts

Organization admins can create any number of service accounts.

  1. In the header, click the initials icon and select Settings.

  2. Click Members, then select the Service accounts tab.

  3. Click Add service account.

  4. Add a display name for the service account, reflecting the account’s intended usage.

  5. Select an organization role.

  6. Click Create.

  7. Add the account’s first OAuth token or click Skip.

    1. Enter a name and description for the token. Use the description to note the token’s purpose or intended usage.

    2. Select or define a custom expiration date for the token. The default setting is Never expires.

    3. Click Add.

    4. Copy the token. After closing the create token dialog, the token’s value is encrypted and can’t be copied again.

What's next

After creating a service account, you want to ensure it can access the appropriate resources. Like any other organization member, service accounts must be granted access to organization resources. For example, if you want a service account to be able to run a given deployment, it must have access to the workspace where that deployment was created. Next steps might include:

  • Add the service account to shared workspaces and assigning workspace roles. Only the service account’s organization role is managed from the service accounts tab.

  • Add the service account to groups, if using groups to manage workspace access.

  • Ensure any apps you want the service account to run are shared with the organization.

Managing service account tokens

From a service account’s details page, you can manage its OAuth tokens.

Adding OAuth tokens

One service account can have multiple OAuth tokens. Consider using one token per programmatic interaction for fine-grained controls. All OAuth tokens created for a service account share the same role-based access.

  1. In the header, click the initials icon and select Settings.

  2. Click Members, then select the Service accounts tab.

  3. In the service accounts list, select the service account.

  4. Click Add token.

  5. Enter a name and description for the token. Use the description to note the token’s purpose or intended usage.

  6. Select or define a custom expiration date for the token. The default setting is Never expires.

  7. Click Add.

  8. Copy the token. After closing the create token dialog, the token’s value is encrypted and can’t be copied again.

Refreshing tokens

You can refresh a token as needed. Refreshing a token updates its value.

  1. In the header, click the initials icon and select Settings.

  2. Click Members, then select the Service accounts tab.

  3. In the service accounts list, select the service account.

  4. In the OAuth tokens table, click the refresh icon Icon of two circling arrows. of the token to refresh.

  5. Select or define a custom expiration date for the token. The default setting is Never expires.

  6. Click Refresh token.

  7. Copy the token. After closing the refresh token dialog, the token’s value is encrypted and can’t be copied again.

Deleting tokens

If a token is no longer needed or you wish to revoke the access it grants, you can delete it.

  1. In the header, click the initials icon and select Settings.

  2. Click Members, then select the Service accounts tab.

  3. In the service accounts list, select the service account.

  4. In the OAuth tokens table, click the delete icon Icon of a trash can. of the token to delete.

  5. Enter the confirmation text and click Delete token.

To delete all tokens, click More above the OAuth tokens table, then select Delete all tokens.

Disabling service accounts

Disabling a service account lets you revoke the account’s access and permissions without also removing the account from any groups or workspaces to which it was added. When disabling a service account, all OAuth tokens associated with the account are permanently deleted. You can re-enable service accounts later, though previously created API tokens aren’t restored.

  1. In the header, click the initials icon and select Settings.

  2. Click Members, then select the Service accounts tab.

  3. In the service accounts list, click the overflow icon Icon with three stacked vertical dots. of the account to disable, then select Disable.

  4. Click Disable to confirm.

You can enable previously disabled service accounts. In the service accounts list, click the overflow icon of the service account, then select Enable.

Deleting service accounts

Deleting a service account permanently deletes the account and all associated tokens.

  1. In the header, click the initials icon and select Settings.

  2. Click Members, then select the Service accounts tab.

  3. In the service accounts list, click the overflow icon Icon with three stacked vertical dots. of the account to disable, then select Delete service account.

  4. Click Remove to confirm.

Was this page helpful?