Service Credential

In this page, you will find the steps to generate, revoke, and edit Service Credentials.

What is a Service Credential

A Service Credential allows Enterprise Accounts to create service tokens linked to Groups and with customized permissions (scopes) for specific purposes. In this way, actions executed in pipelines are performed by the Organization, ensuring greater security and control.

Account-level operations include the following actions:

1. Resource creation;

2. Execution of specific tasks via pipeline, without the need for direct intervention from a specific user.

For example, it's possible to generate a token with the following information:

• Name of a group called Tech Products.
• Scope permissions to only create and manage Studios.
• Teams responsible for Tech Products.

tip

Check below for the differences between a Service Credential and a Personal Access Token (PAT):

• Service Credential: created for Enterprise Accounts, allows you to define custom scopes (permissions) and groups. It is ideal for automating tasks and integrations on behalf of the organization, with more control over permissions.

• Personal Access Token (PAT): created for individual use, directly linked to the user. It is used to access resources and execute commands in StackSpot on behalf of the user.

Prerequisite

• Only people with Account Holder or Sys_Admin permission can create and manage Service Credentials.

• You can create a Service Credential at any time in the StackSpot Portal.

Create Service Credentials

danger

For security reasons, credentials such as Personal Access Token (PAT) are stored encrypted in StackSpot. After being saved, it is not possible to consult or view this information again through the platform.

Step 1. Access the StackSpot Account Portal;

Step 2. Click on your profile avatar. Then, click on the 'Organization' option;

Step 3. In 'General Settings', click on the 'Identity and Security' section and then click on 'Service Credentials';

Step 4. Click the 'Create Service Credential' button;

Step 5. Fill in the following fields:

• Name: name your Credential.
• Description: provide a description for it.

Then, click the 'Next' button.

Step 6. In 'Expiration', select the following fields:

• Service Credential validity: choose how long the Credential will be valid:

  • 30 days
  • 90 days
  • 180 days
  • 365 days
  • Never expires

• Token expiration time:

  • 15 minutes
  • 1 hour
  • 2 hours
  • 8 hours
  • 24 hours

To continue, click the 'Next' button.

Step 7. (Optional) Add at least one group or resource:

info

• Groups are sets of multiple users with the same types of roles and resources, i.e., the same permission level.

• Resources: Resource Types represent the objects users interact with, such as Accounts, Workspaces, Plugins, Stacks, and Applications.

• To add a group:

  1. Click the 'Add group' button;
  2. Select the groups you want the credential to inherit permissions from;
  3. To confirm, click the 'Add group' button.

• To add a resource:

  1. Click the 'Add resource' button;
  2. Select the resources that will have granular permissions;
  3. To continue, click the 'Next' button.
  4. Now, configure permissions for each resource you selected in the previous step;
  5. To confirm, click the 'Confirm' button.

Now, click the 'Next' button.

Step 8. On the 'Summary' tab, review your information and click the 'Save' button.

danger

In 'Client ID and Client Key', copy and save the following information:

• Client Id
• Client Key
• Realm
• Usage example

After you click the 'Close' button, you will not be able to view this data again.

caution

If you do not save the Client Secret data, you will not be able to use this credential to authenticate new sessions or obtain new access tokens. For security reasons, the Client Secret cannot be recovered. If you lose this information, you will need to revoke the credential and create a new one to continue using the integration.

Done, you've generated a Service Credential.

Edit Service Credentials

The Groups and Resources of a Credential are the only variable you can edit after creation.

To edit a Service Credential, follow these steps:

Step 1. Still in the 'Service Credentials' section, click on the Credential you want to edit;

Step 2. To remove Groups from your Credential, click the trash button in the row of the Group you want to remove. To confirm, click the 'OK' button;

Step 2.1. To remove Resources from your Credential, click the trash button in the row of the Resource you want to remove. To confirm, click the 'OK' button;

Step 3. To add Groups, click on the 'Add' button and select which ones you want to add. To confirm, click on the 'Add' button.

Step 3.1. To add Resources, click on the 'Add' button and select which ones you want to add. To confirm, click on the 'Add' button.

Revoke Service Credentials

When you revoke a credential, any tokens already issued by it become invalid immediately. This means that any session or integration using these tokens will be interrupted and will require new authentication with a valid credential.

Only people with Account Holder or Sys_Admin permission can revoke Credentials.

tip

It's recommended to create a new Credential before revoking the current one.

Step 1. Still in 'Service Credentials', click on the Credential you want to revoke;

Step 2. Now click on the 'Revoke' button;

Step 3. Enter the name of the Credential in the 'Credential name' field;

Step 4. To confirm, click on the 'Revoke' button.

Done, you've revoked a Service Credential.