Creating and managing service accounts
A service account is used by client applications to authenticate to the cloud subscription. Create a service account by generating service credentials.
Before you begin
About this task
- Functional ID
- The functional ID is generated from the alias you specify for
the service account.
Like regular user IDs, you grant functional IDs permissions for the cloud environments that the client applications access and the roles that the applications might need. However, you cannot use these IDs to manually log in to one of the tools in the cloud portal, such as Process Portal. You also cannot use the User Management API to create or delete functional IDs.
- Password
- The password is a randomly generated character string that is
sufficiently long and complex to be considered safe against brute-force
attacks. Passwords never expire. However, for security reasons, consider
changing passwords on a regular basis. Important: When you change a password, all applications automatically lose access rights to the cloud subscription. Plan a password change so that client applications are stopped beforehand and before they are restarted, ensure that they are configured to use the new password.
As an alternative to changing passwords directly in the Access management view, consider rolling over credentials instead.
You decide how many service accounts your subscription needs. For example, several applications might share one account and other applications might have their own accounts.
Procedure
To create a service account, complete the following steps:
What to do next
- Share service credentials across subscriptions
- To share service credentials, use operations provided by the Credentials API. All API calls require the caller to have the Account Administrator role. For more information, see Using service credentials to authenticate client applications.
- Distribute service credentials
- To enable password policies to be easily applied to client applications, your programmers should never hardcode service credentials in their application code. Instead, make the credentials available to the client application environment so that they can be easily accessed by client applications, for example, in a configuration file or credential vault. Ensure that you store and distribute these credentials securely so that they cannot be accessed by third parties. When you change a password, remember to update the credentials resource used by client applications. For information on using the credentials in a client application, see Using service credentials to authenticate client applications.
- Roll over service credentials
- To ensure that applications don’t lose access rights to the cloud subscription when you renew service credentials, keep both the old and new credentials valid for a period of time. Coordinate the length of this overlap period with your programmers so that it reflects the maximum time that all clients in the application environment need to refresh their service credentials.
- Delete service accounts
- You might want to delete a service account that is no longer needed, for example, because you generated a new set of service credentials for the client applications that use the account. Before you delete the account, ensure that the functional ID is not used by any running applications. On the Users page, delete the service account by removing the functional ID.