- 08 Sep 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Managing Service Accounts
- Updated on 08 Sep 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Use the Service Accounts page in System Settings to manage accounts that only connect to the system using the REST API. See Axonius REST API and Python API Client for more about using the Axonius REST API.
You can generate the API key, the API secret, and assign roles.
To access the Service Accounts page:
- From the top right corner of any page, click . The System Settings page opens.
- In the Categories/Subcategories pane of the System Settings page, expand User and Role Management, and select Service Accounts.
You can find the following information on the Service Accounts table:
- Service Account Name - The name of the Service Account.
- Description (optional) – Description of what the user can do.
- Role – The role that defines what this API user can do. Only roles with API Access permission may be associated with a Service Account.
- IP Range - The IP address ranges (in CIDR notation) that the account is authorized to use when accessing the API.
- Data Scope - The Data Scope assigned to the Service Account.
- API Key – The API key generated by the system for this user.
- Key Creation Time – The time that the key was created. This parameter is useful to renew the key according to your organization’s policy.
- Last Used – The date and time that the account was last used. The timestamp is updated for every action that the Service Account does in the system and if the user never logged in, it is 'Never'.
- Last Updated - The date and time that the account was last updated.
Creating a Service Account
To create a Service Account
Click Add Service Account. The New Service Account drawer opens.
Type a Service account name. This name for the service account is mandatory and should not be changed once you set it.
Type a Service account description (optional) that describes what the Service Account does in the system.
Select a Role that defines what this Service Account can do. Only roles with API access permissions are available.
Select a Main Data Scope to which this Service Account will have access. Data Scopes determine what data, dashboards, queries, and other objects the Service Account can see. API requests sent using the Service Account can only apply to the assets and information within this Data Scope. This helps to control what a specific account can access with the API. See Data Scope Management for more information on Data Scopes. The Data Scope name appears in the Data Scope column on the Service Accounts page. Admin users are automatically assigned the Global Data Scope.
Enter one or more IP Address Ranges (optional) that the account is authorized to use when accessing the system via API. The address range must be in CIDR notation: a.b.c.d/y where a.b.c.d is the first IP address and /y is the identifier for the range. For example: 192.168.20.0/24,192.168.10.3/24. This provides extra validation that service accounts are accessed via REST API calls only for known IP addresses.
Click Save. The API Key and API Secret that allow the Service Account to access the API are generated and displayed.
The API Secret for the Service Account is not saved anywhere on the Axonius system. You have to copy it as it is not kept and cannot be recovered. Click to copy the API Secret and save it in a safe place, or manage it using a key management system.
- Click Close. The new Service Account is created and is now displayed on the Service Accounts page. Details about the Service Account can be found under Optional details in the Service Account's details drawer.
Searching and Filtering the Service Accounts Table
In the Search box, enter the text to search for in the Service Accounts you want to see. Description text is also searched.
You can also filter the Service Accounts by the following fields:
- Role - Filters by role.
- Data Scope - Filters by Data Scope.
- Date Range - Filters by the selected date range.
Within a filter list, click Select All to select all options. Click Clear All to deselect all options.
Click Reset to clear all filter selections.
Editing a Service Account
You can edit a Service Account.
To edit a Service Account
- In the Service Accounts table, click a Service Account. The Service Account drawer opens.
- Edit the details. You cannot change the API key.
- Click Save.
It is not possible to change only the API key. If you want to change the API key, you must change both the API key and its API secret.
Rotating the API Key of a Service Account
The API key of a Service Account can be rotated at any time.
To rotate the API key of a Service Account:
- From the Service Accounts page, select the account whose API key you want to rotate.
- Expand Optional details and click .
- Click to copy the API key.
Deleting a Service Account
Service Accounts can be deleted.
Delete a service account with caution, as once it is deleted, no one can use it or its associated key.
To delete a Service Account
- In the Service Accounts table, click a Service Account. The Service Account drawer opens.
- Click the in the drawer header. After clicking Delete to confirm the action, the Service Account is deleted.