Managing OVHcloud service accounts

Vedi come Markdown

Find out how to create, manage and use service accounts to connect to OVHcloud APIs via the Control Panel or the API

Objective

Access to OVHcloud products can be configured within access policies, which can be accessed via the OVHcloud Control Panel. This allows you to globally define who can access which product. To configure this access for users, please refer to our guide on How to use IAM policies using the OVHcloud Control Panel.

When API access is required from applications or code, it is necessary to generate specific credentials in order not to link them to a user. You don't want to reset your scripts in production if your user changes their credentials or leaves your company.

This guide explains how to create and manage service accounts from the OVHcloud Control Panel or via the API, and how to use them in your IAM access policies.

These credentials can be used within the different APIs of our products:

Requirements


OVHcloud Control Panel Access

  • Direct link:
  • Navigation path: Identity, Security & Operations > Identities > Service account

Instructions

Understanding identities

Service accounts are one of the types of identities that can be set up on your OVHcloud account. Other account types are described in the related documentation.

How service accounts work

OVHcloud service accounts are an identifier/token pair that allows your code to authenticate on the OVHcloud APIs. These credentials follow the OAuth2 protocol by using the client credential authentication mechanism.

This identifier/token pair has no time limit. It is therefore ideal for use within a code deployed in production. Of course, you can revoke the access associated with this service account at any time by modifying the associated access policies or by deleting this service account.

Each identifier is associated with a unique URN, which enables it to be granted fine-grained rights on OVHcloud products by linking it to access policies. These credentials are directly linked to your root account. As a result, they are not affected by user changes.

Like all OVHcloud APIs, the management of these credentials is subject to configurable access rights within the access policies. Refer to our guide on How to use IAM policies using the OVHcloud Control Panel.

Manage service accounts

OVHcloud Control Panel
OVHcloud API

Go to the Service account page using the direct link above, or select the Service account tab in the Identities section.

Service accounts list in the OVHcloud Control Panel

The table displays existing service accounts with the following information:

ColumnDetails
NameService account name.
DescriptionDescription of the intended use for this service account.
Associated policiesNumber of IAM access policies linked to this service account.
CreationService account creation date.

Create a service account

Click Add a service account.

OVHcloud service account creation form

Complete the following fields:

FieldDetails
Service account nameUnique name identifying this service account.
DescriptionDescription of the intended use. We recommend describing the application or script that will use these credentials to make it easier to audit your access.

Click Create.

A window then displays the generated credentials:

  • Service account name: your service account identifier (clientId).
  • Password: secret (clientSecret) allowing you to authenticate on the OVHcloud APIs.
Credentials displayed after creating a service account
Warning

You will no longer have access to the token contents after closing this window. Make sure you save these credentials securely before clicking Close.

Edit a service account

Click the … button to the right of the service account, then click Edit.

Form for editing an existing service account

You can update the service account name and description. Click Edit to confirm.

Info

The password of an existing service account cannot be retrieved or regenerated from the Control Panel. If you have lost the secret, you must create a new service account and update your application.

Delete a service account

Click the … button to the right of the service account, then click Delete.

Service account deletion confirmation window

Confirm the deletion by clicking Delete.

Warning

Warning: this action is permanent. If you would like to cancel it, you will need to create a new service account and deploy the identifier/token pair within your application.

To delete access, we recommend detaching all access policies from this service account. This action is reversible, and allows you to cancel in case of an error. Once you have ensured that this service account is not used in production, you can delete it without fear.

To modify access for a service account, you can associate it with an existing access policy or create a new one.

From the Control Panel, refer to our guide on How to use IAM policies using the OVHcloud Control Panel to create or modify a policy. When selecting identities, add the relevant service account. The Associated policies column on the Service account page shows the number of policies linked to each service account.

To find out more about managing access policies via the API, please read our guide on How to use IAM policies using the OVHcloud API.

For this example, we will use an existing access policy to provide access to the service account management APIs. Below is an example of a policy with the values xx11111-ovh and urn:v1:eu:identity:credential:xx11111-ovh/oauth2-0f0f0f0f0f0f0f0f, which should be adapted to suit your configuration.

{
  "description": "Demo for service account guide",
  "identities": [
    "urn:v1:eu:identity:credential:xx11111-ovh/oauth2-0f0f0f0f0f0f0f0f"
  ],
  "name": "Demo-service-account",
  "permissions": {
    "allow": [
      {
        "action": "account:apiovh:me/api/oauth2/client/get"
      },
      {
        "action": "account:apiovh:me/api/oauth2/client/create"
      },
      {
        "action": "account:apiovh:me/api/oauth2/client/edit"
      },
      {
        "action": "account:apiovh:me/api/oauth2/client/delete"
      }
    ]
  },
  "resources": [
    {
        "urn": "urn:v1:eu:resource:account:xx11111-ovh"
    }
  ]
}

This example can be used directly within the following call to create a new policy:

POST/iam/policy

Usage of service accounts

Service accounts are available in several APIs of our products. For each API, there is a guide:

Go further

Join our community of users.

Questa pagina ti è stata utile?