# Service accounts

{% hint style="warning" %}
This feature requires the **Manage organization settings** permission. Learn more about permissions here: [dataset-attributes-and-responsibilities](https://docs.soda.io/dataset-attributes-and-responsibilities "mention")
{% endhint %}

Service accounts are organization-bound identities designed for automated pipelines and API integrations. Unlike regular users, they authenticate exclusively via API key. They have no email/password login and are not tied to any individual's SSO credentials.

Use service accounts when you want API keys that are independent of any individual user, for example in CI/CD pipelines, scheduled scans, or data engineering workflows.

| A service account can...                                                                          | A service account cannot                                                                |
| ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
| <i class="fa-check">:check:</i> Run `soda-core` scans (results attributed to the service account) | <i class="fa-x">:x:</i> Log in to the Soda Cloud UI                                     |
| <i class="fa-check">:check:</i> Call the Soda Cloud REST API                                      | <i class="fa-x">:x:</i> Participate in agreements, discussions, or incidents via the UI |
| <i class="fa-check">:check:</i> Be assigned to datasets and user groups                           | <i class="fa-x">:x:</i> Be used as agents (agents use their own API keys)               |
| <i class="fa-check">:check:</i> Receive notifications                                             |                                                                                         |
| <i class="fa-check">:check:</i> Create and verify data contracts from a pipeline                  |                                                                                         |
| <i class="fa-check">:check:</i> Log incident activity via API                                     |                                                                                         |

## Create a service account

{% stepper %}
{% step %}

#### Navigate to Service Accounts

Click on your avatar > **Organization Settings** > **Service Accounts** tab

<figure><img src="https://1123167021-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FA2PmHkO5cBgeRPdiPPOG%2Fuploads%2FJnglh3wyc9sUw3s6Yhq8%2Fimage.png?alt=media&#x26;token=286fc454-ad89-4b5b-a206-f1302bc2407a" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Create a new service account

Click on <i class="fa-plus">:plus:</i> (top right) to create a new service account.

Enter a name and a unique email address for the service account, then confirm.

<figure><img src="https://1123167021-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FA2PmHkO5cBgeRPdiPPOG%2Fuploads%2FYSucg7VtYvnpzko9lzv8%2Fimage.png?alt=media&#x26;token=e51393bc-dcda-47e3-b1e8-e0b9112b5075" alt="" width="383"><figcaption></figcaption></figure>

{% hint style="info" %}
A unique email is required but it does not represent a real login.
{% endhint %}
{% endstep %}

{% step %}

#### Store the API key

Copy the API key that is displayed. **This is the only time the key is shown**. It cannot be retrieved after you navigate away.

<figure><img src="https://1123167021-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FA2PmHkO5cBgeRPdiPPOG%2Fuploads%2FhwIqPLQmIr7t9pSu7TjL%2Fimage.png?alt=media&#x26;token=91328285-542b-476e-824d-1e173917c2cc" alt="" width="563"><figcaption></figcaption></figure>

Use the API key ID and secret as credentials wherever you would normally configure Soda API keys, for example in `soda-core` scan configurations or REST API calls.
{% endstep %}
{% endstepper %}

### Deactivate a service account

In the **Service Accounts** tab, open the context menu for the account and select **Deactivate**. The API key is immediately invalidated.

<figure><img src="https://1123167021-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FA2PmHkO5cBgeRPdiPPOG%2Fuploads%2FSLzZg2MEM72H9gytvsaX%2Fimage.png?alt=media&#x26;token=b08514f1-f0a8-4d06-8dd4-eac21eaf15c1" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**Note:** Service accounts cannot be deleted by design. They are only deactivated until activated again.
{% endhint %}

***

## Default permissions

New service accounts are automatically assigned a default role configured under **Organization Settings > Global Roles > Responsibilities**. This default role excludes UI-bound permissions that don't apply to non-human accounts.

You can also:

* Add a service account to a **user group** to inherit that group's dataset permissions.
* Assign a service account a direct **dataset role** via the dataset's Edit Responsibilities panel.

When both a group-inherited and a direct dataset role exist, the higher permission takes precedence.

<br>

***

{% if visitor.claims.plan ===  %}
{% hint style="success" %}
You are **logged in to Soda** and seeing the **Free license** documentation. Learn more about [documentation-access-and-licensing](https://docs.soda.io/reference/documentation-access-and-licensing "mention").
{% endhint %}
{% endif %}

{% if visitor.claims.plan ===  %}
{% hint style="success" %}
You are **logged in to Soda** and seeing the **Team license** documentation. Learn more about [documentation-access-and-licensing](https://docs.soda.io/reference/documentation-access-and-licensing "mention").
{% endhint %}
{% endif %}

{% if visitor.claims.plan ===  %}
{% hint style="success" %}
You are **logged in to Soda** and seeing the **Enterprise license** documentation. Learn more about [documentation-access-and-licensing](https://docs.soda.io/reference/documentation-access-and-licensing "mention").
{% endhint %}
{% endif %}

{% if !(visitor.claims.plan ===  %}
{% hint style="info" %}
You are **not logged in to Soda** and are viewing the default public documentation. Learn more about [documentation-access-and-licensing](https://docs.soda.io/reference/documentation-access-and-licensing "mention").
{% endhint %}
{% endif %}