🚀Tenuo Cloud is in beta.Get started →
Dashboard Guide
Service Accounts

Service Accounts

Service accounts are non-human identities designed for automation, CI/CD pipelines, and backend services. They provide a structured way to manage programmatic access to Tenuo Cloud.

Why Service Accounts?

FeatureAPI KeysService Accounts
Identity trackingLimitedFull audit trail
Key rotationManualManaged
Multiple keysNoYes
Descriptive metadataName onlyName, description, labels
DisablingRevoke onlyDisable/enable

Creating a Service Account

Navigate to Service Accounts

Click Service Accounts in the sidebar

Create Service Account

Click Create Service Account

Configure

  • Name: A descriptive name (e.g., "production-authorizer")
  • Description: What this service account is used for

Create

Click Create to create the service account

Managing Keys

Each service account can have multiple API keys, making rotation easier.

Create a Key

  1. Click on the service account
  2. Click Create Key
  3. Select scopes for the key
  4. Copy the key immediately - it won't be shown again

Rotate Keys

Best practice for key rotation:

  1. Create a new key for the service account
  2. Update your services to use the new key
  3. Verify the new key is working
  4. Revoke the old key

This allows zero-downtime rotation.

Revoke a Key

  1. Click on the service account
  2. Find the key in the keys list
  3. Click Revoke

Service Account States

StateDescription
ActiveService account and its keys can be used normally
DisabledAll keys are temporarily disabled, no API access

Disable a Service Account

Temporarily block all access without revoking keys:

  1. Click on the service account
  2. Click Disable
  3. All keys stop working immediately

Enable a Service Account

Re-enable a disabled service account:

  1. Click on the service account
  2. Click Enable
  3. All non-revoked keys work again

Use Cases

CI/CD Pipelines

Create a service account for your CI/CD system:

  • Name: github-actions or jenkins
  • Scope: admin for deployment scripts
  • Rotate keys when team members leave

Authorizer Services

Create a service account for each authorizer deployment:

  • Name: authorizer-production or authorizer-staging
  • Scope: authorizer (read SRL only)
  • Multiple keys for canary deployments

Monitoring Systems

Create a service account for monitoring:

  • Name: datadog-integration or prometheus
  • Scope: read-only
  • Used for metrics and health checks

Partner Integrations

Create service accounts for external partners:

  • Separate service account per partner
  • Easy to disable if partnership ends
  • Clear audit trail per partner

Audit Trail

All operations by service accounts are logged with:

  • Service account ID and name
  • API key ID used
  • Operation performed
  • Timestamp
  • IP address

View in Audit Log and filter by service account.

Best Practices

One service account per service

Don't share service accounts between different systems. This improves security and audit clarity.

Use descriptive names

Name service accounts after their purpose: authorizer-prod, cicd-github, monitoring

Implement key rotation

Rotate keys every 30-90 days. Service accounts make this easy with multiple keys.

Disable instead of delete

When access should be temporarily blocked, disable the service account. Only delete when you're sure it's no longer needed.

Monitor usage

Check the audit log for unusual activity from service accounts.

Deleting a Service Account

🚫

Deleting a service account revokes all its keys and cannot be undone.

  1. Click on the service account
  2. Click Delete
  3. Confirm the deletion

All keys associated with the service account will stop working immediately.

API KeysWebhooks