how do you create a service account

Deleted user September 5, 2018

Newbie to cloud version.

How do I create an account that the API can access?

Thanks in advance!

Steve

5 answers

1 accepted

1 vote
Answer accepted
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 5, 2018

Hi Steve,

API uses a user account from the instance, so any Jira user that has permissions to accomplish what you require is fine to use.

In addition, we have the ability to use API tokens in Cloud, which is something that Jira Server doesn't have.

With this, you can generate a token from your login, and use that to authenticate API.

Let me know if you have any questions.

Regards,

Shannon

Jonathan Do May 1, 2019

Good morning Shannon,

We want to protect against the possibility of our admin hitting the lottery and leaving for a permanent vacation and having all API keys he/she generated become deprecated when we offboard him/her.

Does this mean we'd have to make a separate account, give it admin access and then generate the API key? Ideally we'd like to not consume a license to generate keys, just wanted to know if there was a way around this.

Like # people like this
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 1, 2019

Hi Jonathan,

Great question! Thank you for reaching out.

As you suspected, the token is tied to the user's account. So if you disable that user in Jira in order to free up the license, then the tokens will no longer be able to be used.

In that case, you will indeed want to have your new admin generate new tokens, and you can update your API calls to use the new token. The user who generates the token does need to be tied to a license in order for it to work. There is not a way around this.

I hope that clarifies things for you! Let me know if you have any further concerns.

Regards,

Shannon

Like # people like this
Deleted user February 18, 2020

Hi,

It occurs to me that this solution is a potential security risk,

Let's say I have repositories A and B, repository A is open to my coworker John but not repository B.

I setup repository A's pipeline with variables UPLOAD_ACCOUNT and UPLOAD _PASSWORD pointing to my account and an app password with only read and write permissions (as required per bitbucket-upload-file for example)

John can now access repository B of which he does not have access, by pushing a clever bitbucket-pipelines.yaml to repository A, that takes advantage of UPLOAD_ACCOUNT and UPLOAD _PASSWORD to fetch repository B with my credentials (and upload it to my competitors, on my own pipeline bill!, damn you John, freaking corporate spy!)

This is possible because app passwords are not limited to a subset of repositories I own, with one app password you can access all my repos.

In that case I could create a user that can only have access to the repo I want to automate, but when I have 5 repos that need to be exclusive from each-other I then need 5 accounts, which -not regarding the cost on my plan- are a pain to manage as they are "real people" with real Atlassian accounts.

 

In short, I would not advise people to include app passwords in pipelines.

Like # people like this
Jeff Shepherd February 16, 2023

This! So very much this!

Even if "John" is not uploading data to another company, the actions taken are on Renaud's credentials, yet it was "John" that performed the task.

This action alone violates SOC2 Type 2 compliance in that we have to be able to report who did what and when it was done.  In this case "John" did an action, but the paper trail points to Renaud.

Not good at all.

Like # people like this
Michael Ferioli February 27, 2024

So, in true Atlassian style, yes you can have a service account but you'll need to pay for it like a normal user.  SMH

2 votes
Igor Kosoy May 23, 2019

Sorry, but I don't see how the current setup solves the issue with establishing stable integration in case if user leaves organization. Why we need to use actual user account to configure an integration for the company? Why service account can't be created just for the integration purposes ?

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 24, 2019

Hello Igor,

Thank you for the feedback.

Creating an API token requires a specific user to do it because the token will then be based on their permissions in Jira. This is for security reasons. You can still create an account on Jira to JUST connect to the API and create a token with that.

Let me know if you have any questions about that!

Regards,

Shannon

Igor Kosoy May 24, 2019

I was wondering if there is a way to differentiate accounts created towards integrations and not to count them towards the paid number of user seats.

Like # people like this
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 27, 2019

Igor,

Thank you for following up.

You need to have a license on the account in order for it to interact with Confluence's data in any way, including via API. There is unfortunately no way around this.

Thank you for your understanding!

Regards,

Shannon

Kevin McVey October 7, 2021

I have a use case for this as well, a service account would be helpful and to not take up a user seat.  Actually, I would prefer to create to service keys one for my dev environment and one for production. 

Like # people like this
1 vote
Yael Holland November 12, 2020

Can I create one dedicated Jira user account to be used for all integrations that requiere the same privilege access? ex. Say I need to integrate Jira with Jenkins as well as with GitHub... can I use the same Jira service account? My next question is... can a single jira service account be assigned more then one token? or one token per account and per integration regardless of privileges needed?

 

Lastly,

 

What Atlassian recommends as best practices to set up app integration with its products, and how to manage the service accounts to create, maintain, and eventually decomission this accounts and integrations?

Rajitha Karunaratne February 3, 2021

Good question. I'd also like to know the answers for this.

0 votes
Dan.anas November 1, 2019

What admin role should the service account possess? i.e (product, site, organization) 

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 6, 2019

Hello @Dan.anas,

Thank you for following-up here. This entirely depends on what functionality you need that account to have.

For example:

  1. If you need them to be a basic Jira user, then they need to be a licensed Jira user.
  2. If they need to administer Jira via the REST-API (i.e. tasks you've permitted only admins to do) they need to be a Jira administrator.
  3. If you need them to also administer users then they need to be a site admin.

I hope that's clear! Let me know if you have any further questions.

Regards,

Shannon

JRodney Estrada January 14, 2021

Hi @Shannon S ,

 

To make sure I understand, I can do the following...

1. Create a Jira Cloud user API_Service123@mycompany.com with Jira-User, Jira-Software-User permissions.

2. Generate an API token

3. Give my API Developer the credentials- API_Service123@mycompany.com and API token (password)

4. Done?

Varun kumar thupakula August 2, 2021

I am looking for answers to above questions @[deleted]  can you please address, Thanks in advance 

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 3, 2021

@Varun kumar thupakula @JRodney Estrada 

Apologies, I didn't see your reply to this question since it's a few years old.

That's correct - you can use the procedure from our developer site:

Basic auth for REST APIs 

If you have any trouble, please raise a new question, so it doesn't get overlooked.

Thank you!

Shannon

0 votes
Deleted user September 5, 2018

Thank you so much!!!!

Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 6, 2018

You're welcome, happy to help!

Shannon

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events