Service Accounts
A service account allows you to create access keys for processes that run Sumo Logic APIs. You can use a service account to create multiple access keys. Because access keys in a service account are not tied to an individual user, they can continue to be used even if the creator’s user account is deactivated or deleted. Service accounts are an ideal way to ensure continuity of operation for critical services.
You can use service accounts to provide authentication for operations that use Sumo Logic APIs, such as:
- API scripts
- Third party integrations
- Infrastructure as code (for example, Terraform)
Benefits of using service accounts include:
- The Service Accounts tab, a dedicated page to manage service keys and to reduce their being confused with personal access keys.
- Access keys on service accounts can be scoped with reduced capabilities to reduce impact.
- There is audit trail for changes to service keys.
You can use the API to create and manage service accounts. See Service Accounts API.
Prerequisites
Only administrators can create service accounts. If you are unsure whether you are an administrator, you can view your role in Preferences (see Onboarding Checklists).
Create a service account
To configure a service account, you must first create the account and then add access keys to it. You can add multiple access keys to each service account.
- Classic UI. In the main Sumo Logic menu, select Administration > Security > Service Accounts.
New UI. In the top menu select Administration, and then under Account Security Settings select Service Accounts. You can also click the Go To... menu at the top of the screen and select Service Accounts. - On the Service Accounts tab, click + Add Service Account.
The Add Service Account window appears. - Name. Enter a name for your service account. Make it descriptive enough so that others will be able to tell what its purpose is.
- Email. Enter an email to associate with the service account. It should be an email monitored by an organization rather than an email for an individual, so that it is not dependent on use by a single person.
- Roles. Select the roles to assign to the service account. A service account must have the role capabilities needed to execute the tasks its access keys are needed for.
tip
You can further limit permissions in the access keys using scope. The scoping of keys allows you to further restrict an access key to a subset of the service account’s assigned role capabilities.
- Click Save.
- Proceed to the next section to add access keys to the service account.
Add an access key to a service account
After you have created a service account, add access keys to the service account. The access keys are tied to the service account. When you create an access key for a service account, ensure that the scope of the key is restricted to only the rights needed for the key.
- Classic UI. In the main Sumo Logic menu, select Administration > Security > Service Accounts.
New UI. In the top menu select Administration, and then under Account Security Settings select Service Accounts. You can also click the Go To... menu at the top of the screen and select Service Accounts. - Select a service account.
- Click Add Access Key.
- The Add New Access Key window appears. Add the access key information, including scopes. Follow the steps to add an access key as described in Create an access key.
- You can add multiple access keys to the service account.
Any access keys you add on a service account appear on the Access Keys tab.
Change a service account
- Classic UI. In the main Sumo Logic menu, select Administration > Security > Service Accounts.
New UI. In the top menu select Administration, and then under Account Security Settings select Service Accounts. You can also click the Go To... menu at the top of the screen and select Service Accounts. - Hover your mouse over a service account and click the three-dot kebab icon to reveal the modification options.
When a service account is deactivated or deleted, the access keys on the service account are also deactivated or deleted. For more information about deactivation, see Access Keys deactivation policy.
Change an access key on a service account
To modify only the access keys on a service account (rather than the service account itself):
- Open the service account.
- Click the number under Access Keys.
- Select the access key you want to change.
- Make changes as needed. You can change the domains and scope, deactivate the key, or delete the key.
Audit logging for service account activity
Service account events are recorded in the Audit Event Index as user events. To search for for service account events, run this query:
_index=sumologic_audit_events _sourceCategory=users
Service account events will return with subsystem
shown as serviceAccounts
.
For more information about audit logging, see Audit Event Index.