Skip to main content

Creating and managing service accounts

A service account can be used to authenticate external services such as CI pipelines with the Mondoo Platform APIs. Clients use service account credentials to authorize themselves to a Mondoo's APIs and perform actions within the permissions granted to the service account.

Service account scope​

Each **space within an organization has the ability to create service accounts. Service accounts are scoped to the space that they are created under, and cannot access any other space in the platform. Every service account is granted permissions which limits actions it can perform. For more information on service account permissions, see managing service account permissions.

An example where a service account is useful is in a CI/CD workflow where you often have worker nodes that test builds of infrastructure and applications. Here you could create a service account that can access the policies in a space, and execute them on builds to assess security risks.

Creating service accounts​

To create a service account:

  1. Navigate to the space you want to create a service account in.
  2. Select Settings followed by Service Accounts.
  3. Select ADD ACCOUNT.
  4. If required, check the Base64-encoded box to base64 encode the credentials.
  5. Select GENERATE NEW CREDENTIALS.

Copy either clear-text credentials file or base64-encoded credentials for your usage.

Decrypt base64 service account for use with Mondoo Client​

To decrypt a base64-encoded service account:

echo <base64_credentials> | base64 -d > mondoo.json

Configure Mondoo Client to use the mondoo.json file by either passing the --config /path/to/mondoo.json or by setting the MONDOO_CONFIG_PATH environment variable.

Managing service account permissions​

Service accounts can be configured with the following permissions to perform specific actions:

  • Space Agent (default) - Read-only access
  • Space Gateway Agent - Full access
  • Space Viewer - Space Viewer
  • Space Editor - Space Editor
  • Space Owner - Space Owner access

Changing service account permission​

To change the permissions on an existing service account:

  1. Navigate to the space where the service account was created.
  2. Select Settings followed by Service Accounts.
  3. Check the box next to the service account whose permissions you want to change and then select PERMISSIONS.
  4. Select the desired permission level for the service account.
  5. Select SAVE.

Deleting service accounts​

To delete a service account from a space:

  1. Navigate to the space where the service account was created.
  2. Select Settings followed by Service Accounts.
  3. Check the box next to the service account you want to delete.
  4. Select DELETE.
  5. A pop-up will ask you to confirm that you want to delete the service account. Select DELETE to confirm, or CANCEL to cancel the deletion.