# Creating a Service Account

## Overview

We will here create a new a new Service Account using either DT Studio or our REST API. Once created, the Service Account is granted membership in the project and provided it a role. Then, a new Key Pair is generated as credentials for interacting with the REST API.

## Prerequisites

* **Service Account**\
  Creating, deleting, and interacting with Service Accounts require that your User or existing [Service Account](https://docs.developer.disruptive-technologies.com/service-accounts/introduction-to-service-accounts) has been granted the [role](https://docs.developer.disruptive-technologies.com/managing-access-rights#roles-and-permissions) of Project Administrator or higher.

## New Service Account

The project our new Service Account is created in becomes the owning project. However, this does not provide rights in said project, which must be explicitly granted after creation.

{% tabs %}
{% tab title="DT Studio" %}
In [DT Studio](https://studio.disruptive-technologies.com/), navigate to your Project. In the left menu, locate **Service Accounts** and press **Create new Service Account**. Give it a name and click **Add**.

![](https://3704330445-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MR5PbKbz-q3w3qIO6MH%2F-MT5kdPtU5-YgUXFlbtF%2F-MT5ksj0L9qk_aZRM3sP%2Fcreate-new-sa.png?alt=media\&token=43eb12e8-c99f-4614-b478-898472fdd1fa)
{% endtab %}

{% tab title="REST API" %}
Send a **POST** request to:

`https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts`

A request body is not required and will result in a default configuration. A list of all available parameters can be found in our [REST API Reference](https://developer.disruptive-technologies.com/api).

#### Example Usage

Using cURL with a Service Account for authentication, the following example creates a new Service Account with a given name and [Basic Auth](https://docs.developer.disruptive-technologies.com/authentication) enabled.

```bash
curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts" \
    -u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
    -d '{"displayName": "my-new-service-account", "enableBasicAuth": true}'
```

{% endtab %}

{% tab title="Python API" %}
Once the package is installed and authenticated as described in the [Python API Reference](https://developer.disruptive-technologies.com/api/libraries/python/index.html), a new Service Account can be created by calling the following resource method.

* [disruptive.ServiceAccount.create\_service\_account()](https://developer.disruptive-technologies.com/api/libraries/python/resources/service_account.html#create-service-account)

#### Example Usage

Using our Python API with Service Account credentials for authentication, the following example creates a new Service Account with a given name and [Basic Auth](https://docs.developer.disruptive-technologies.com/authentication) enabled.

```python
import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Create a new Service Account in the specified project.
new_sa = dt.ServiceAccount.create_service_account(
    project_id='<PROJECT_ID>',
    display_name='my-new-service-account',
    basic_auth_enabled=True,
)

# Print the newly created Service Account.
print(new_sa)
```

{% endtab %}
{% endtabs %}

## New Project Membership

Your new Service Account is now active but does not have permissions in any projects. We will now give it membership in the project, including a role and other configurations.

{% tabs %}
{% tab title="DT Studio" %}
Click on your new Service Account. This will take you to the configuration page, where the following details are presented. Edit as desired.

* **Service Account Email**\
  An automatically generated email is used for both authentication and access rights management in other projects and organizations. This can not be edited.
* **Role in the current project**\
  Controls which permissions are granted in the current project. You can find a list of all permissions per role on our [Managing Access Rights](https://docs.developer.disruptive-technologies.com/managing-access-rights#roles-and-permissions) page.
* **Enable Basic Auth**\
  The simplest method for authenticating the REST API. While we recommend using an [OAuth2 flow](https://docs.developer.disruptive-technologies.com/authentication/oauth2), Basic Auth can be handy for quick prototyping and single calls.

![](https://3704330445-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MR5PbKbz-q3w3qIO6MH%2F-MT5kdPtU5-YgUXFlbtF%2F-MT5lFGMql8O3p8Su8km%2Fmy-new-sa.png?alt=media\&token=2120a3f3-815c-43c4-87ae-ab5ecde95ef3)
{% endtab %}

{% tab title="REST API" %}
Send a **POST** request to:

`https://api.d21s.com/v2/projects/<PROJECT_ID>/members`

A request body with the following parameters is required.

```javascript
{
    "roles": [
        "roles/<ROLE>"
        // See [Managing Access Rights] for a list of all roles.
    ],
    "email": "<SERVICE_ACCOUNT_EMAIL>"
}
```

A list of all available parameters can be found in our [REST API Reference](https://developer.disruptive-technologies.com/api).

#### Example Usage

Using cURL with a Service Account for authentication, the following example grants the role of Project Developer to a Service Account specified by its email.&#x20;

```bash
curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/members" \
    -u "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>" \
    -d '{"roles": ["roles/project.developer"], "email": "<SERVICE_ACCOUNT_EMAIL>"}'
```

{% endtab %}

{% tab title="Python API" %}
Once the package is installed and authenticated as described in the [Python API Reference](https://developer.disruptive-technologies.com/api/libraries/python/index.html), a Service Account can be granted a project role by calling the following resource method.

* [disruptive.Project.add\_member()](https://developer.disruptive-technologies.com/api/libraries/python/resources/project.html#project-add-member)

The same call exists for an organization under [disruptive.Organization.add\_member()](https://developer.disruptive-technologies.com/api/libraries/python/resources/organization.html#org-add-member).

#### Example Usage

Using our Python API with Service Account credentials for authentication, the following example grants the role of Project Developer to a Service Account specified by its email.

```python
import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Grant Service Account membership in the specified project.
member = dt.Project.add_member(
    project_id='<PROJECT_ID>',
    email='<SERVICE_ACCOUNT_EMAIL>',
    roles=[dt.Role.PROJECT_DEVELOPER],
)

# Print the updated member.
print(member)
```

{% endtab %}
{% endtabs %}

## Generating Keys

The last step is to create a key. Remember that while the generated Key ID will always be listed under your Service Account, **the secret will be shown only once, so make sure to write it down**.

{% tabs %}
{% tab title="DT Studio" %}
On your Service Account configuration page, click **Create New** next to **Active Keys**. The pop-up dialog contains the newly created Key ID and secret.

![](https://3704330445-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MR5PbKbz-q3w3qIO6MH%2F-MT5kdPtU5-YgUXFlbtF%2F-MT5lWtq2KorGgs0Th7i%2Fsa-key-pair.png?alt=media\&token=458aec57-aedf-49c3-8376-07c582d3803d)
{% endtab %}

{% tab title="REST API" %}
Send a **POST** request to:

`https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT>/keys`

No request body should be provided will the request. However, the response contains both the Key ID and secret. Remember to write the secret down.

```javascript
{
  "key": {
    "name": "projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys/<KEY_ID>",
    "id": "<KEY_ID>",
    "createTime": "2021-02-16T11:09:16.240828Z"
  },
  "secret": "<SECRET>"
}
```

#### Example Usage

Using cURL with a Service Account for authentication, the following example generates a new key for the specified Service Account.

```bash
curl -X POST "https://api.d21s.com/v2/projects/<PROJECT_ID>/serviceaccounts/<SERVICE_ACCOUNT_ID>/keys" \
    --user "<SERVICE_ACCOUNT_KEY_ID>":"<SERVICE_ACCOUNT_SECRET>"
```

{% endtab %}

{% tab title="Python API" %}
Once the package is installed and authenticated as described in the [Python API Reference](https://developer.disruptive-technologies.com/api/libraries/python/index.html), a new key can be created by calling the following resource method.

* [disruptive.ServiceAccount.create\_key()](https://developer.disruptive-technologies.com/api/libraries/python/resources/service_account.html#create-key)

#### Example Usage

Using our Python API with Service Account credentials for authentication, the following example generates a new key for the specified Service Account.

```python
import disruptive as dt

# Authenticate the package using Service Account credentials.
dt.default_auth = dt.Auth.service_account(
    key_id='<SERVICE_ACCOUNT_KEY_ID>',
    secret='<SERVICE_ACCOUNT_SECRET>',
    email='<SERVICE_ACCOUNT_EMAIL>',
)

# Create a new key for the specified Service Account.
key = dt.ServiceAccount.create_key(
    service_account_id='<SERVICE_ACCOUNT_ID>',
    project_id='<PROJECT_ID>'
)

# Print the newly created Service Account key.
print(key)
```

{% endtab %}
{% endtabs %}

## Using Your Service Account

The Service Account creation is now complete, and you may use it as desired.

* [Manage Access Rights in your organization](https://docs.developer.disruptive-technologies.com/service-accounts/managing-access-rights).
* [Explore the REST API using cURL](https://docs.developer.disruptive-technologies.com/explore-our-rest-api/with-curl).
* [Authenticate the REST API with OAuth2](https://docs.developer.disruptive-technologies.com/authentication/oauth2).