Service accounts

Feature availability Service accounts are available only for Enterprise plans. For more information, see plans and pricing.

Free and Team plan users and Trial users have access to a Snyk user's token under their profile and can use this token to authenticate with a CI/CD, to run the CLI locally or on a build machine, and to authenticate with an IDE manually.

Service accounts are a special type of system user. Creating a service account generates an API token that is the only token associated with the service account and takes the place of standard user credentials. Snyk needs authentication in order to initiate Snyk processes.

You can set up a service account to use for automation rather than using a Snyk user's token and to help manage integrations.

You can generate single or multiple tokens on the Organization or Group levels to manage your integrations. Each service account has a unique name to make it easier to recognize. This name cannot be reused.

When to use a service account

If you are an Enterprise user, you have a Snyk user's token under your profile. You also have access to service account tokens.

Use a service account to create any kind of automation

This includes, but is not limited to, scanning using a CI/CD or build system plugin and automation with the Snyk API.

Use a service account for GitHub Enterprise integration

If your team needs to set up a service account in GitHub, you must use GitHub Enterprise, which is available only with Snyk Enterprise accounts.

Using a service account to authenticate with an integration rather than a Snyk user's token ensures continuity when users change roles or close their personal Snyk accounts.

Use Group-level tokens in managing integrations

Use Group-level tokens to call Group API endpoints and Organization API endpoints, and to run the CLI for all Organizations in the Group.

Group roles are only for service accounts on the Group level and are limited to Enterprise accounts.

Use your Snyk user's token for local scanning and testing API calls

If you are an Enterprise user, use your Snyk user's token to run the CLI locally on your machine, authenticate with an IDE manually, and make an occasional API call, for example, to test the use of an endpoint.

Snyk advises against using a service account token to authenticate with an IDE.

Set up a Group or Organization level service account

Generate single or multiple tokens on the Group or Organization levels to manage your integrations.

Prerequisites to set up a service account

Group viewers are not able to create service accounts, regardless of their Org role.

To create a Group service account, you must be a Group admin. To create an Organization service account, you must be either a Group member and Org Admin, or a Group admin.

This process describes all options. Repeat the steps to create multiple tokens for the same or any other Group or Organization.

How to set up a Group or Organization service account

  • Log in to your account and navigate to the relevant Group and Organization that you want to manage.

  • Click on Settings > Service accounts to view existing service accounts and their details.

  • Click Create a service account to create a new one. The screen that loads varies depending on whether you chose a Group or an Organization.

Note that while creating a Group service account, you can choose a Group-level role.

Group settings
Group settings

In contrast, while creating an Organization service account, you can choose Organization-level roles, including custom roles that you have set up for your Organizations.

Organization settings
Organization settings

Enter a service account name

In the Service Account name field, enter a unique name for this token. Remember, this name can be used only once for tokens in the same area, either an Organization or a Group.

Select a role

From the Role dropdown list, select an appropriate role.

Roles
Roles

For Group service accounts, choose from the following list of roles to configure the scope of the token; Snyk recommends selecting Viewer or Admin.

  • Group Viewer enables read-only access. Note that to set an API token to be read-only and unable to write to the platform, you must use a service account and set it to Group Viewer. See Snyk API token permissions users can control.

  • Group Admin enables full administrator access.

  • Group Member associates a service account with a group but does not grant any specific access.

For Organization service accounts, choose from the standard roles, Org Admin or Org Collaborator, or a custom role if you have set up any custom roles. See Pre-defined roles for the scope of the Org Admin and Org Collaborator roles.

Create the service account

Click Create.

The token is generated and displayed.

Ensure that you copy this token, as you will not see it again. You can click Close and Hide once you have copied the token; whether you do or not, when you navigate away from this page, the token will no longer be visible. This is a standard security practice to keep your tokens safe.

How the token is associated with a Group and Organizations

The new token is also added to your Existing service accounts list, like the list in this example:

Existing service accounts for a Group
Existing service accounts for a Group

In addition, if you created the token for the entire Group with a Group Admin role, the token also appears in the Existing service accounts list for each of its Organizations, though it can only be edited at the Group level.

If you created the token from an Organization that is part of a Group, the token now also appears in the Existing service account list on the Group level. From that list, the Group Admin can also change the token name or delete it.

Update the name for a service account token

Click any of the links to update the name for a service account token:

  • For Group-level tokens, from the Group level only

  • For Organization-level tokens, from the relevant Organization and also from the Group level:

Edit and delete a service account

Administrators can change token names and delete tokens.

What happens to the service account token for a deleted account

When you delete a service account, the API token associated with it is invalidated immediately.

When an account is managed with Groups, the Organization and the Group admins can delete tokens for the Organization; only Group admins can view and manage tokens on the Group level.

Deleting a service account is the same as revoking the API token.

How to edit or delete a service account

  • Log in to your account and navigate to the Group and Organization that you want to manage.

    For Group tokens, navigate to the Group level. For Organization tokens, group admins can delete from either the Group or the relevant Organization; Organization admins should navigate to the relevant Organization.

  • Click on Settings > Service accounts.

  • Scroll to find the list of existing service accounts:

Existing service accounts for a Group
Existing service accounts for a Group
  • From the list of existing tokens:

    • Click the token name to navigate to change the token name and click Save.

    • Click Delete to delete a token and invalidate it immediately. When prompted, click OK. Remember that you cannot re-generate the same token.

Assign roles and permissions to a service account

Users with the Group-level View, Create, and Edit service account permissions can set up new service accounts for their Organization and assign a role.

Select an Organization and navigate to Settings > Service Accounts. Provide a name, choose a role from the dropdown, and click Create.

Select a Role while creating Organization Service Account
Select a Role while creating Organization Service Account

When you open a role that is assigned to a service account, the system displays a warning message. Consider the possible impact when you update the permissions associated with or delete a role that would lead to reassigning the service accounts and users to a new role.

Warning that you are about to change a role assigned to a service account
Warning that you are about to change a role assigned to a service account

Snyk prevents users from creating Organization service accounts with a role that has more privileges than those the user creating the service account has. If you try to create a service account with a role that has more privileges than you have, you will see the error Cannot create a service account with a higher privilege role than yours.

User cannot assign a more privileged role to a service account
User cannot assign a more privileged role to a service account

Last updated

More information

Snyk privacy policy

© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.