Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

how do you create a service account

Deleted user Sep 05, 2018

Newbie to cloud version.

How do I create an account that the API can access?

Thanks in advance!

Steve

5 answers

1 accepted

1 vote
Answer accepted
Shannon Atlassian Team Sep 05, 2018

Hi Steve,

API uses a user account from the instance, so any Jira user that has permissions to accomplish what you require is fine to use.

In addition, we have the ability to use API tokens in Cloud, which is something that Jira Server doesn't have.

With this, you can generate a token from your login, and use that to authenticate API.

Let me know if you have any questions.

Regards,

Shannon

Good morning Shannon,

We want to protect against the possibility of our admin hitting the lottery and leaving for a permanent vacation and having all API keys he/she generated become deprecated when we offboard him/her.

Does this mean we'd have to make a separate account, give it admin access and then generate the API key? Ideally we'd like to not consume a license to generate keys, just wanted to know if there was a way around this.

Shannon Atlassian Team May 01, 2019

Hi Jonathan,

Great question! Thank you for reaching out.

As you suspected, the token is tied to the user's account. So if you disable that user in Jira in order to free up the license, then the tokens will no longer be able to be used.

In that case, you will indeed want to have your new admin generate new tokens, and you can update your API calls to use the new token. The user who generates the token does need to be tied to a license in order for it to work. There is not a way around this.

I hope that clarifies things for you! Let me know if you have any further concerns.

Regards,

Shannon

Like Morgan Morgan likes this

Hi,

It occurs to me that this solution is a potential security risk,

Let's say I have repositories A and B, repository A is open to my coworker John but not repository B.

I setup repository A's pipeline with variables UPLOAD_ACCOUNT and UPLOAD _PASSWORD pointing to my account and an app password with only read and write permissions (as required per bitbucket-upload-file for example)

John can now access repository B of which he does not have access, by pushing a clever bitbucket-pipelines.yaml to repository A, that takes advantage of UPLOAD_ACCOUNT and UPLOAD _PASSWORD to fetch repository B with my credentials (and upload it to my competitors, on my own pipeline bill!, damn you John, freaking corporate spy!)

This is possible because app passwords are not limited to a subset of repositories I own, with one app password you can access all my repos.

In that case I could create a user that can only have access to the repo I want to automate, but when I have 5 repos that need to be exclusive from each-other I then need 5 accounts, which -not regarding the cost on my plan- are a pain to manage as they are "real people" with real Atlassian accounts.

 

In short, I would not advise people to include app passwords in pipelines.

Like # people like this

Sorry, but I don't see how the current setup solves the issue with establishing stable integration in case if user leaves organization. Why we need to use actual user account to configure an integration for the company? Why service account can't be created just for the integration purposes ?

Shannon Atlassian Team May 24, 2019

Hello Igor,

Thank you for the feedback.

Creating an API token requires a specific user to do it because the token will then be based on their permissions in Jira. This is for security reasons. You can still create an account on Jira to JUST connect to the API and create a token with that.

Let me know if you have any questions about that!

Regards,

Shannon

I was wondering if there is a way to differentiate accounts created towards integrations and not to count them towards the paid number of user seats.

Shannon Atlassian Team May 27, 2019

Igor,

Thank you for following up.

You need to have a license on the account in order for it to interact with Confluence's data in any way, including via API. There is unfortunately no way around this.

Thank you for your understanding!

Regards,

Shannon

I have a use case for this as well, a service account would be helpful and to not take up a user seat.  Actually, I would prefer to create to service keys one for my dev environment and one for production. 

Can I create one dedicated Jira user account to be used for all integrations that requiere the same privilege access? ex. Say I need to integrate Jira with Jenkins as well as with GitHub... can I use the same Jira service account? My next question is... can a single jira service account be assigned more then one token? or one token per account and per integration regardless of privileges needed?

 

Lastly,

 

What Atlassian recommends as best practices to set up app integration with its products, and how to manage the service accounts to create, maintain, and eventually decomission this accounts and integrations?

Good question. I'd also like to know the answers for this.

What admin role should the service account possess? i.e (product, site, organization) 

Shannon Atlassian Team Nov 06, 2019

Hello @Dan.anas,

Thank you for following-up here. This entirely depends on what functionality you need that account to have.

For example:

  1. If you need them to be a basic Jira user, then they need to be a licensed Jira user.
  2. If they need to administer Jira via the REST-API (i.e. tasks you've permitted only admins to do) they need to be a Jira administrator.
  3. If you need them to also administer users then they need to be a site admin.

I hope that's clear! Let me know if you have any further questions.

Regards,

Shannon

Hi @Shannon ,

 

To make sure I understand, I can do the following...

1. Create a Jira Cloud user API_Service123@mycompany.com with Jira-User, Jira-Software-User permissions.

2. Generate an API token

3. Give my API Developer the credentials- API_Service123@mycompany.com and API token (password)

4. Done?

I am looking for answers to above questions @[deleted]  can you please address, Thanks in advance 

Shannon Atlassian Team Aug 03, 2021

@Varun kumar thupakula @JRodney Estrada 

Apologies, I didn't see your reply to this question since it's a few years old.

That's correct - you can use the procedure from our developer site:

Basic auth for REST APIs 

If you have any trouble, please raise a new question, so it doesn't get overlooked.

Thank you!

Shannon

0 votes
Deleted user Sep 05, 2018

Thank you so much!!!!

Shannon Atlassian Team Sep 06, 2018

You're welcome, happy to help!

Shannon

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you