Understand service accounts
User accounts and service accounts have different purposes in STACKIT. While both are used to authenticate and authorize actions, a user account is designed for a human user, while a service account is for system services and applications.
Key characteristics and functions of service accounts
Section titled “Key characteristics and functions of service accounts”A service account lets you grant specific permissions to a service or application without exposing your personal credentials. This makes your automated workflows more secure and easier to manage. You can create a service account and give it roles and permissions within a STACKIT project through the STACKIT Portal.
- Non-human identity: A service account is not associated with a person.
- Automation: They are ideal for automating routine tasks, managing resources, and integrating with different APIs.
- Authentication: A service account provides a unique identity for an application to be authenticated.
- Authorization: Access controls and permissions can be set for a service account to ensure only authorized applications can access specific resources.
- Security: Using service accounts for automated tasks enhances security by preventing the use of personal user accounts, which may have a lower level of security.
- Role-Based Access Control (RBAC): Like user accounts, service accounts have no access to resources by default. Permissions are granted by assigning roles to the service account for specific resources.
Service account keys
Section titled “Service account keys”A service account key is a credential you use to authenticate with STACKIT using the Key flow. When you create a key for your service account in the STACKIT Portal, the system can either generate an RSA key pair for you or you can provide your own.
Service account roles and permissions matrix
Section titled “Service account roles and permissions matrix”| Lowest Scope | Name | Description | Permissions |
|---|---|---|---|
| Project | Service Account Admin | This role allows managing Service Accounts. This includes creating, listing, getting, and deleting service accounts. Since service accounts cannot be removed via soft-deletion, roles that include the iam.service-account.delete permission should be assigned with particular caution. |
|
| Project | Service Account Creator | This role allows creating Service Accounts. |
|
| Project | Service Account Deleter | This role allows the permanent deletion of Service Accounts. Caution: Service Accounts are removed immediately and definitively, as no soft-deletion is available. |
|
| Project | Service Account Key Admin | This role allows managing Service Account Keys. |
|
| Project | Service Account Access Token Admin | This role allows managing Service Account Access Tokens. Note: Since Service Account Access Tokens will be deprecated on December 16, 2025, this role will also be deprecated and removed by the end of Q2/2026. |
|
| Project | Service Account User | This role allows assigning Service Accounts to workloads (e.g., virtual machines). |
|
| Project | Service Account Reader | This role allows listing and getting Service Accounts, as well as the associated Service Account Access Tokens and Service Account Keys. |
|