1. Manage Accounts and Access
  2. Manage Accounts

Service Accounts for StreamNative Cloud

Each service account represents an application programmatically accessing StreamNative Cloud.

You can manage application access to StreamNative Cloud by using service accounts. Permissions can be specified using ACLs and role bindings tied to a specific service account. ACLs and role bindings for service accounts are set by an administrator or another user with a similar role within the organization.

Service accounts are an organization-level resource.

Service accounts span the entire organization and can own authentication credentials for many different resources, including development and production clusters. A typical use case has one team administering the StreamNative Cloud streaming data platform and issuing service accounts (with ACLs applied) to various application teams that use the streaming data platform. While service accounts cannot sign in to StreamNative Cloud Console, they can own any type of API keysthat can be used for CLI or API access. Keep in mind the following:

  • Although users can leave or change roles within a company, applications continue to operate independently of the users, service accounts are especially useful in organizations requiring special identifiers for applications or services not be tied to a specific user.

  • You can create service accounts using any of the following methods:


When you delete a service account, all associated API keys will also be deleted. Any client applications using a deleted API key will lose access, which may cause an outage for your streaming application. Always confirm that none of the API keys owned by an account are in active use before deleting a service account.

Create a service account


Currently, you can't edit a service account. If you need a service account to have Super Admin access, make sure to enable it when creating the service account. By default, service accounts do not have Super Admin enabled.

To create a service account, follow these steps.

  1. On the left navigation pane, click Service Accounts.

  2. Click Create Service Account.

  3. (Optional) Select Super Admin to grant the service account with Super admin access to a namespace or tenant.

  4. Enter a name for the service account, and then click Confirm.

Check service account details

After you have created a service account, you can check the details of the account.

  • On the left navigation pane, click Service Accounts. The Service Accounts page displays all of the created service accounts.

The table below describes the details that you can view about the service account.

NameThe name of the service account.
Pulsar Role NameThis name displays in the Admin Role field when creating a tenant.
Key FileThe key file for the service account.
TokenThe token for the service account.
OrganizationThe organization that the service account was created in.
Create TimeThe time when the service account was created.
StatusThe status of the service account.
AdminWhether the service account has Super Admin enabled or not.
...Click the ellipsis to display the delete icon.

Get the service account key file or token

Both the key file and the token are used for authentication. Tokens are only valid for seven days. When a token expires, you need to use the key file to generate a new token for authentication. Or, you can directly use the key file for authentication.

Get a key file

To get an OAuth2 credential file of a service account through the StreamNative Console, follow these steps.

  1. On the left navigation pane, click Service Accounts.

  2. In the row of the service account you want to use, in the Key File column, click the Download icon to download the OAuth2 credential file to your local directory.

    The OAuth2 credential file should be something like this:

      "type": "SN_SERVICE_ACCOUNT",
      "client_id": "CLIENT_ID",
      "client_secret": "CLIENT_SECRET",
      "client_email": "[email protected]",
      "issuer_url": "https://auth.streamnative.cloud"

Get a token


Before using an API key, verify that the service account is authorized to access the resources, such as tenants, namespaces, and topics.

You can follow the instructions to create an API key for the service account you choose to use.

Delete a service account

To delete a service account, follow these steps.

  1. On the left navigation pane, click Service Accounts.

  2. Click the ellipsis at the end of the row of the service account you want to delete, and then select Delete.

    screenshot showing the ellipsis at the end of the service account details row

  3. On the dialog box asking, Are you sure you want to delete this service account?, click Confirm.