# Service Accounts

When using a dedicated security account for pipeline access, you must make it available to the pipelines.

## Duplocloud Service Account

To call the DuploCloud API from a job, obtain an [API token](/docs/automation-platform/access-control/api-and-session-management/api-tokens.md). A good naming convention is to name it after the brand, so for Github just name the service account `github` or `gitlab` for Gitlab.

1. [Create a Service Account user in DuploCloud](/docs/automation-platform/access-control/user-access-and-permissions/add-edit-or-delete-a-user.md). Service Account users are usernames that are not an email address, such as `github-bot` or `my-api-user`. These users do not log in, but their account owns the API token.
2. Give the DuploCloud user access to the desired Tenant. See [adding Tenant access for a user](/docs/automation-platform/access-control/user-access-and-permissions/tenant-access.md#adding-tenant-access-for-a-user). You could give admin permissions as well.
3. Create an API token for that user. See [creating API Tokens](/docs/automation-platform/access-control/api-and-session-management/api-tokens.md).
4. Add a the following repository variables/secrets to the CI/CD environment.
   * `DUPLO_HOST` The full url to the duplocloud portal
   * `DUPLO_TOKEN` The API token from step 3

## AWS IAM Role

Duplocloud will use the AWS STS to provide credentials during a CI/CD workflow. No extra steps needed. The running job will assume the IAM role associated to the tenant using the duplocloud credentials.

## GCP Service Account

1. [Navigate to obtain GCP credentials](https://console.cloud.google.com/apis/credentials).
2. Select the project.
3. [Create a Service Account](https://cloud.google.com/iam/docs/service-accounts-create).
4. [Create a key for the Service Account and download the JSON credentials for use in CI/CD Jobs.](https://developers.google.com/workspace/guides/create-credentials#service-account)
5. In your CI/CD tool, you will save the following two variables. Navigate to the
   1. Create a Secret named `CLOUD_CREDENTIALS` with the contents pasted from the JSON credentials you downloaded from the Service Account.
   2. Create a Variable named `CLOUD_ACCOUNT` with the Project ID or Name from GCP.

The JSON Credentials file you download has the following content:

{% code title="GCP JSON Credentials file" %}

```json
{
  "type": "service_account",
  "project_id": "<project-id>",
  "private_key_id": "<private-key-id>",
  "private_key": "<private-key>",
  "client_email": "<client-email>",
  "client_id": "<client-id>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "<client-x509-cert-url>"
}
```

{% endcode %}

## Azure Security Account

Create an Azure Security Account with needed permissions in Azure Entra ID.

The JSON Credential file has the following content:

{% code title="Azure JSON Credentials file" %}

```json
{
  "clientId": "<client-id>",
  "clientSecret": "<client-secret>",
  "subscriptionId": "<subscription-id>",
  "tenantId": "<tenant-id>"
}
```

{% endcode %}

\
Within your CI/CD tool create the following variables.

* Create a Secret named `CLOUD_CREDENTIALS` with the contents pasted from the json credentials you downloaded from the service account
* Create a Variable named `CLOUD_ACCOUNT` with the directory name for Azure.

## Configure CI/CD Variables

Configure the variables mentioned in the steps above for your specific vendor. Foo Bar.

<table data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="/pages/4JY1wNZ6RndNMqKRVN0b"><strong>GitHub Actions</strong></a></td><td>Documentation guides for getting started using CI/CD with GitHub Actions</td><td><a href="/pages/4JY1wNZ6RndNMqKRVN0b">/pages/4JY1wNZ6RndNMqKRVN0b</a></td></tr><tr><td><a href="/pages/laLlCsFB7Q7LXJ5Abgw6"><strong>CircleCI</strong></a></td><td>Documentation guides for getting started using CI/CD with CircleCI</td><td><a href="/pages/laLlCsFB7Q7LXJ5Abgw6">/pages/laLlCsFB7Q7LXJ5Abgw6</a></td></tr><tr><td><a href="/pages/89UCOKaWtJo4iPLg1EDP"><strong>GitLab CI/CD</strong></a></td><td>Documentation guides for getting started using CI/CD with GitLab CI/CD</td><td><a href="/pages/89UCOKaWtJo4iPLg1EDP">/pages/89UCOKaWtJo4iPLg1EDP</a></td></tr><tr><td><a href="/pages/3ENSEObzAtmUzzfckJEY"><strong>BitBucket Pipelines</strong></a></td><td>Documentation guides for getting started with BitBucket Pipelines</td><td></td></tr><tr><td><a href="/pages/L3g7KUsHdlMVnFYHbu5J"><strong>Azure DevOps</strong></a></td><td>Documentation guides for getting started with Azure DevOps</td><td></td></tr><tr><td><a href="/pages/tSkJJ1kNCnMFIKRz1pzW"><strong>Katkit</strong></a></td><td>Documentation guides for getting started using CI/CD with Katkit</td><td><a href="/pages/tSkJJ1kNCnMFIKRz1pzW">/pages/tSkJJ1kNCnMFIKRz1pzW</a></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.duplocloud.com/docs/automation-platform/introduction-to-ci-cd/service-accounts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.