Service accounts

Identity Cloud provides service accounts to let you request access tokens for most REST API endpoints; for example, you may need an access token to use the REST API endpoint /openidm/managed/alpha_user to get a list of identities.

You create a new service account in the Identity Cloud admin UI, which provides you with credentials (a service account ID and a private key). You use the credentials to obtain an access token from a built-in OAuth 2.0 public client using the JWT profile for OAuth 2.0 authorization grant flow. You can then use the access token as a bearer token in the Authorization HTTP header for each API request.

Manage service accounts

A tenant administrator can manage service accounts in these ways:

To use the Identity Cloud admin UI, refer to Manage service accounts using the UI.
To use the Identity Cloud REST API with a tenant administrator access token, refer to the article A scripted approach for creating and using service accounts in ForgeRock Identity Cloud.

Only a tenant administrator account has the privileges to create, modify, or delete service accounts.

You create service accounts in each environment; they are not promotable.

Service account scopes

When you create a service account, you choose which scopes it can grant to the access tokens it creates. You should always choose the minimum number of scopes needed.

Scope Purpose

Scope	Purpose
`fr:am:*`	Access to `/am/*` API endpoints
`fr:idm:*`	Access to `/openidm/*` and ESV API endpoints
`fr:idc:esv:*`	Access to ESV API endpoints
`fr:idc:esv:read`	Read access to ESV API endpoints
`fr:idc:esv:update`	Create, update, and delete access to ESV API endpoints
`fr:idc:esv:restart`	Access to ESV API endpoint to restart Identity Cloud services
`fr:idc:promotion:*`	Access to promotions API endpoints

fr:am:*

Access to /am/* API endpoints

fr:idm:*

Access to /openidm/* and ESV API endpoints

fr:idc:esv:*

Access to ESV API endpoints

fr:idc:esv:read

Read access to ESV API endpoints

fr:idc:esv:update

Create, update, and delete access to ESV API endpoints

fr:idc:esv:restart

Access to ESV API endpoint to restart Identity Cloud services

fr:idc:promotion:*

Access to promotions API endpoints

Get an access token using a service account

To get an access token using a service account, refer to Authenticate to Identity Cloud REST API with access token.

Manage service accounts using the UI

View service accounts

In the Identity Cloud admin UI, open the Tenant menu (upper right).
Click Tenant settings.
Click Global Settings.
Click Service Accounts. The page displays existing service accounts for your tenant.

Create a new service account

In the Identity Cloud admin UI, open the Tenant menu (upper right).
Click Tenant settings.
Click Global Settings.
Click Service Accounts.
Click New Service Account.
Enter a Name and optional Description for the service account.
In the Scopes section, select the scopes that the service application can grant to an access token. Refer to Service account scopes.
Click Save.
When the 'Service account successfully created!' message shows:
1. Make a note of the service account ID, found in the ID field.
2. Click Download Key to download the service account private key.
  
  You must download the private key at this point as it will not be available again.
Click Done.

To get an access token using a service account, refer to Authenticate to Identity Cloud REST API with access token.

Modify a service account

In the Identity Cloud admin UI, open the Tenant menu (upper right).
Click Tenant settings.
Click Global Settings.
Click Service Accounts.
Click the ellipsis on the right of a service account and select Edit.
You can change the Name or optional Description.

In the Scopes section, you can change the scopes that the service application can grant to an access token. Refer to Service account scopes.

Before removing scopes that the service application can grant to an access token, make sure you identify which of your integrations are dependent upon those scopes; otherwise those integrations will fail the next time they request an access token.

Click Save.

Regenerate a key for a service account

Before regenerating a key, make sure you identify which of your integrations are dependent upon it to sign JWTs, as all those integrations need to be updated with the new key.

In the Identity Cloud admin UI, open the Tenant menu (upper right).
Click Tenant settings.
Click Global Settings.
Click Service Accounts.
Click the ellipsis on the right of a service account and select Regenerate Key.
On the Regenerate Key dialog box, click Regenerate Key.
When the 'Key successfully created!' message is shown:
1. Click Download Key to download the new service account private key.
  
  You must download the private key at this point as it will not be available again.
Click Done.

Delete a service account

Before deleting a service account, make sure none of your integrations are dependent upon its key to sign JWTs; otherwise those integrations will fail the next time they request an access token.

In the Identity Cloud admin UI, open the Tenant menu (upper right).
Click Tenant settings.
Click Global Settings.
Click Service Accounts.
Click the ellipsis on the right of a service account and select Delete.
On the Delete Service Account page, click Delete Service Account.