Serviceaccounts
K0rdent Api Serviceaccounts endpoints
Serviceaccounts Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /v1/regions/global/iam/service-accounts | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) List service accounts within the caller's tenant. Only tenant administrators can access this endpoint. Supports filtering by scope level, scope target, and status. |
GET | /v1/regions/global/iam/service-accounts/{id} | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) Retrieve metadata for a single service account. Only tenant administrators can access this endpoint. Non-admin callers receive 404 to prevent resource enumeration. |
GET | /v1/regions/global/iam/service-accounts/{serviceAccountId}/credentials | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) List credentials for a service account. Only tenant administrators can access this endpoint. The client_secret is never included in list responses. |
GET | /v1/regions/global/iam/service-accounts/{serviceAccountId}/credentials/{id} | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) Retrieve metadata for a single credential. The client_secret is never included in this response. Only tenant administrators can access this endpoint. Non-admin callers receive 404 to prevent resource enumeration. |
POST | /v1/regions/global/iam/service-accounts | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) Create a new service account scoped to a level in the resource hierarchy. Only tenant administrators can create service accounts. The service account is created with a server-generated clientId but no credentials. Use the credential sub-resource endpoints to create a client_secret after the service account exists. The scope level may be constrained by org-level policy. |
POST | /v1/regions/global/iam/service-accounts/{serviceAccountId}/credentials | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) Generate a new client_secret for a service account. The secret is returned only in this response and cannot be retrieved again. Store it securely. Only tenant administrators can create credentials. A maximum of 5 active credentials are allowed per service account. This limit supports zero-downtime rotation: create a new credential, deploy it to your systems, then delete the old one. If expiresAt is omitted, the organization's default credential lifetime is applied. The value cannot exceed the org-level maximum. |
PATCH | /v1/regions/global/iam/service-accounts/{id} | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) Update mutable fields on a service account. Supports changing the display name, description, roles, and status. Only tenant administrators can update service accounts. Non-admin callers receive 404 to prevent resource enumeration. Role changes follow the scope-down principle: the calling administrator can only assign roles they themselves hold within the service account's scope. |
DELETE | /v1/regions/global/iam/service-accounts/{id} | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) Hard-delete a service account and all its credentials. This action is irreversible. All credentials are immediately unusable. Only tenant administrators can delete service accounts. Non-admin callers receive 404 to prevent resource enumeration. Recommended workflow: disable the service account via PATCH first, confirm no active workloads are affected, then delete. |
DELETE | /v1/regions/global/iam/service-accounts/{serviceAccountId}/credentials/{id} | Visibility: public · internal ( OpenAPI Custom Extension: x-visibility ) Permanently delete a credential. The client_secret is immediately unusable. This action is irreversible. Only tenant administrators can delete credentials. Non-admin callers receive 404 to prevent resource enumeration. If this is the last active credential on the service account, the service account will have no way to authenticate until a new credential is created. |
How is this guide?