Understand service accounts

User accounts and service accounts have different purposes in STACKIT. While both are used to authenticate and authorise actions, a user account is designed for a human user, and a service account is for system services and applications.

A service account is a special account for your applications and services to access STACKIT resources, such as APIs. It’s an identity for a machine, not a person. Use it for automated processes and applications.

Key characteristics and functions of service accounts

A service account lets you grant specific permissions to a service or application without exposing personal credentials. This makes automated workflows more secure and easier to manage. You can create a service account and assign roles and permissions within a STACKIT project in the STACKIT Portal.

• Non-human identity: A service account is not associated with a person.
• Automation: Ideal for automating routine tasks, managing resources, and integrating with different APIs.
• Authentication: Provides a unique identity for an application to be authenticated.
• Authorisation: Configure access controls and permissions so only authorised applications can access specific resources.
• Security: Using service accounts for automated tasks enhances security by avoiding personal user accounts, which may be less secure.
• Role-based access control (RBAC): Like user accounts, service accounts have no access to resources by default. Grant permissions by assigning roles to the service account for specific resources.
• Workload Identity Federation (WIF): WIF let you link a service account to an external OIDC issuer. This mechanism acquires short-lived tokens without static keys.

Authentication methods

Authenticate a service account with a traditional key or through federation.

Workload Identity Federation

You can configure a Federated Identity Provider to trust tokens issued by an external OIDC issuer. This process links a service account to an external OIDC issuer to acquire short-lived tokens without static keys. When creating a Federated Identity Provider, explicitly define who you trust from the external OIDC issuer.

Define two main elements: the issuer URL and a set of assertions. Tokens from the external issuer are accepted only when the issuer URL matches the exact iss value in the tokens and all assertion conditions are met. Assertions define required behaviour or claims within the external token, specifying an item (for example, subject or audience), an operator (currently equality), and a value. For example, assertions might require the subject to EQUALS shop-api AND the audience to EQUALS clients.

Service account keys

Alternatively, a service account key is a credential you use to authenticate with STACKIT using the key flow. When you create a key for your service account in the STACKIT Portal, the system can generate an RSA key pair for you, or you can provide your own.

A service account key’s private key is highly sensitive—treat it like a password for your application. If a malicious actor gets a private key, they can access all resources the service account is allowed to access. You are responsible for keeping private keys secure. Never embed them in source code or binaries.

Service account roles and permissions matrix

Expand

Lowest scope	Name	Description	Permissions
Project	Service Account Admin	Allows managing Service Accounts. This includes creating, listing, getting, and deleting service accounts. Since service accounts cannot be removed via soft-deletion, roles that include the iam.service-account.delete permission should be assigned with particular caution.	iam.service-account.create iam.service-account.delete iam.service-account.get iam.service-account.list resource-manager.project.get
Project	Service Account Creator	Allows creating Service Accounts.	iam.service-account.create iam.service-account.get iam.service-account.list resource-manager.project.get
Project	Service Account Deleter	Allows the permanent deletion of Service Accounts. Caution: Service Accounts are removed immediately and definitively, as no soft-deletion is available.	iam.service-account.delete iam.service-account.get iam.service-account.list resource-manager.project.get
Project	Service Account Key Admin	Allows managing Service Account Keys.	iam.service-account-key.create iam.service-account-key.delete iam.service-account-key.edit iam.service-account-key.get iam.service-account-key.list iam.service-account.get iam.service-account.list resource-manager.project.get
Project	Service Account Access Token Admin	Allows managing Service Account Access Tokens. Note: Since Service Account Access Tokens will be deprecated on December 16, 2025, this role will also be deprecated and removed by the end of Q2/2026.	iam.service-account-token.create iam.service-account-token.list iam.service-account-token.delete iam.service-account.get iam.service-account.list resource-manager.project.get
Project	Service Account User	Allows assigning Service Accounts to workloads (e.g., virtual machines).	iam.service-account.get iam.service-account.list iam.service-account.act-as resource-manager.project.get
Project	Service Account Reader	Allows listing and getting Service Accounts, as well as the associated Service Account Access Tokens and Service Account Keys.	iam.service-account.get iam.service-account.list iam.service-account-key.get iam.service-account-key.list iam.service-account-token.list resource-manager.project.get