Manage service accounts
Create a service account for programmatic access only to Firebolt. Service accounts can be linked to users, instead of logins which provide full access. For each service account, a secret is generated to use for authentication. You can add, edit, delete and generate secrets for service accounts using SQL or in the UI.
To view all users, click Govern to open the govern space, then choose Service Accounts from the menu, or query the information_schema.service_accounts view.
Managing service accounts requires the org_admin role.
Creating a service account
SQL
To create a service account using SQL, use the CREATE SERVICE ACCOUNT statement. For example:
CREATE SERVICE ACCOUNT IF NOT EXISTS "sa1" WITH DESCRIPTION = "service account 1";
UI
To create a service account via the UI:
- Click Configure to open the configure space, then choose Service accounts from the menu.
- From the Service accounts page, choose Create a service account.
- Enter a unique name for your service account. This name must start with a letter, and may contain only alphanumeric characters, or the underscore(_) character.
- Optionally, you can:
- Choose a network policy to apply from the list of existing network policies configured for your organization.
- Specify a description for the service account.
- Choose Create.
Generating a secret for a service account
A service account secret is used to generate an access token for accessing Firebolt API programmatically with the service account.
SQL
To generate a secret for a service account using SQL, use the CALL fb_GENERATESERVICEACCOUNTKEY(`<name>`) statement, where <name> is the name of the service account. The command returns both the service account ID and secret. For example:
CALL fb_GENERATESERVICEACCOUNTKEY('sa1')
UI
To generate a secret for a service account via the UI:
- Click Configure to open the configure space, then choose Service accounts from the menu.
- Search for the relevant service account using the top search filters, or by scrolling through the list of service accounts. Hover over the right-most column to make the service account menu appear, then choose Create a new secret.
- The **New secret for service account” menu with the newly generated secret will appear.
Make a note of the secret once generated - it can’t be retrieved later. If the secret is lost (or needs to be rotated), you can always generate a new secret, calling the same generation function, or by creating a new secret in the UI.
Generating a new secret for your service account user replaces any previous secret (which cannot be used once a new one is generated). Make a note of the secret and keep it in a secured location.
Authenticate with a service account via the REST API
- Create a service account with the
IS_ORGANIZATION_ADMINproperty set toTRUEusing either the UI or SQL. - Obtain the service account ID and secret.
- Create a user and assign desired roles for the service account. Link the service account with this created user.
- Authenticate using the service account via Firebolt’s REST API, send the following request to receive an authentication token:
curl -X POST --location 'https://id.app.firebolt.io/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'audience=https://api.firebolt.io' \
--data-urlencode "client_id=${service_account_id}" \
--data-urlencode "client_secret=${service_account_secret}"
Response: # ignore Response
{
"access_token":"eyJz93a...k4laUWw",
"token_type":"Bearer",
"expires_in":86400
}
where:
| Property | Data type | Description |
|---|---|---|
| service account id | TEXT | The service account ID (created here). |
| service account secret | TEXT | The service account secret (generated here). |
Use the returned access_token to authenticate with Firebolt.
Editing a service account
SQL
To edit a service account using SQL, use the ALTER SERVICE ACCOUNT statement. For example:
ALTER SERVICE ACCOUNT sa1 SET NETWORK_POLICY = my_network_policy
or:
ALTER SERVICE ACCOUNT sa1 SET IS_ORGANIZATION_ADMIN = true
UI
To edit a service account via the UI:
- Click Configure to open the configure space, then choose Service accounts from the menu.
- Search for the relevant service account using the top search filters, or by scrolling through the list of service accounts. Hover over the right-most column to make the service account menu appear, then choose Edit service account.
- Edit the desired fields and choose Save.
Deleting a service account
SQL
To delete a service account using SQL, use the DROP SERVICE ACCOUNT statement. For example:
DROP SERVICE ACCOUNT sa1;
UI
To delete a service account via the UI:
- Click Configure to open the configure space, then choose Service accounts from the menu.
- Search for the relevant service account using the top search filters, or by scrolling through the list of service accounts. Hover over the right-most column to make the service account menu appear, then choose Delete service account.
If the service account is linked to any users, deletion will not be permitted. The service account must be unlinked from all users before deletion.