Managing service accounts

Service accounts are identities for non-human users, such as scripts, applications, or automation workloads, that need programmatic access to resources. Instead of using static, long-lived keys, PingOne Privilege allows you to issue just-in-time (JIT) credentials for service accounts, significantly improving security.

Creating a service account

In the PingOne Privilege admin console, go to Directory > Service Accounts.
Click Add Service Account.
Click the icon for your target cloud provider (AWS, GCP, or Azure).
- For Amazon Web Services (AWS), configure the following fields:
  - User Name: A unique name for the service account user in AWS.
  - Account: The onboarded AWS account where the service account will be created.
  - Credentials Passphrase: A passphrase used to encrypt the downloaded credentials.
- For GCP, configure the following fields:
  - Name: A descriptive name for the service account.
  - Description: An optional description for the service account.
  - Project: The onboarded GCP project where the service account will be created.
  - Credentials Passphrase: A passphrase used to encrypt the downloaded credentials.
- For Azure, configure the following fields:
  - User Name: A unique name for the service account user in Azure.
  - Account: The onboarded Azure account where the service account will be created.
  - Credentials Passphrase: A passphrase used to encrypt the downloaded credentials.
Click Add Service Account.

After you create a service account, you must assign permissions to it before you can use it.

After a policy is active and approved, the service account owner can sign in to their self-service portal, select the service account, and generate credentials. The user can then download or copy the access keys for use in their application or script, using the passphrase they created to decrypt them.