How to use the ServiceAccount API / ServiceAccountServiceClient
Introduction
Aruna offers the possibility to create service accounts that can be used impersonally,
e.g. by several users at the same time or by a service that communicates with Aruna via the API.
In order for a service account to be used against the API, it must be assigned a permission for a specific resource.
For security reasons, a service account can only have this one permission at the same time, which can, however, be adjusted afterwards.
The service account also must create at least a personal token for communication with the API,
which takes over the specific permission of the service account in the authorisation process.
If the service account is also to be entrusted with the upload and download of data, S3 credentials must be requested once from each DataProxy where data is to be stored or read.
Service Account Limitations
Service accounts behave like normal user accounts with the following limitations:
The service account permission can only be set on Projects
Only one permission can be assigned at the same time
Tokens can only be created on the resource the current permission is associated with and its subresources
All service account tokens get deleted if the permission gets set to another Project
License and data class updates of resources are not allowed
Service accounts are not allowed to send requests against the following services:
EndpointService
AuthorizationService
UserService
LicenseService
Create service account
API examples of how to create a service account.
Required permissions
Service account creation requires at least ADMIN permissions on the specific resource.
1 2 3 4 5 6 7 8 910
# Native JSON request to create a service account with ADMIN permission on a Project
curl-d' { "name": "<service-account-name>", "projectId": "<project-id>", "permissionLevel": "PERMISSION_LEVEL_ADMIN" }'\-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XPOST'https://<URL-to-Aruna-instance-API-endpoint>/v2/service_accounts'
1 2 3 4 5 6 7 8 9101112131415
// Create tonic/ArunaAPI request to create a service account with ADMIN permission on a Projectletrequest=CreateServiceAccountRequest{name:"<service-account-name>".to_string(),project_id:"<project-id>".to_string(),permission:PermissionLevel::Adminasi32,};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.create_service_account(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 9101112
# Create tonic/ArunaAPI request to create a service account with ADMIN permission on a Projectrequest=CreateServiceAccountRequest(name="<service-account-name>",project_id="<project-id>",permission=PermissionLevel.PERMISSION_LEVEL_ADMIN)# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.CreateServiceAccount(request=request)# Do something with the responseprint(f'{response}')
Create service account token
API examples of how to generate a token for a service account.
Service accounts can have as many tokens as they like, but are limited to resources that are registered hierarchically under the resource for which the service account has its specific permission set.
Required permissions
Setting the permission of a service account requires at least ADMIN permissions on the previous resource and the specified resource.
1 2 3 4 5 6 7 8 910111213141516
# Native JSON request to create a token with READ permissions on a dataset for a service account
curl' { "permission": { "projectId": "", "collectionId": "", "datasetId": "<dataset-id>", "objectId": "", "permissionLevel": "PERMISSION_LEVEL_READ" }, "name": "string", "expiresAt": "2030-01-01T08:00:00.000Z" }'\-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XPOSThttps://<URL-to-Aruna-instance-API-endpoint>/v2/service_accounts/{svc-account-id}/tokens
1 2 3 4 5 6 7 8 910111213141516171819202122232425
// Create tonic/ArunaAPI request to create a token with READ permissions on a dataset for a service accountletrequest=CreateServiceAccountTokenRequest{svc_account_id:"<svc-account-id>".to_string(),permission:Some(Permission{permission_level:PermissionLevel::Readasi32,resource_id:Some(ResourceId::DatasetId("<dataset-id>".to_string())),}),name:"<token-name">.to_string(),expires_at:Some(NaiveDate::from_ymd_opt(2030,01,01).unwrap().and_hms_opt(8,0,0).unwrap().into(),),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.create_service_account_token(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 910111213141516
# Create tonic/ArunaAPI request to create a token with READ permissions on a dataset for a service accountrequest=CreateServiceAccountTokenRequest(svc_account_id="<svc-account-id>",permission=Permission(collection_id="<collection-id>",# (1)permission_level=PermissionLevel.PERMISSION_LEVEL_WRITE)name="<token-name>",expires_at=Timestamp(seconds=int(datetime.datetime(2030,1,1).timestamp())))# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.CreateServiceAccountToken(request=request)# Do something with the responseprint(f'{response}')
API examples of how to fetch information of one or multiple service account tokens.
Required permissions
Fetching information of service account tokens requires at least ADMIN permissions on the resource the service account has set its permission on.
1234
# Native JSON request to fetch information of a single specific service account token
curl-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XGEThttps://<URL-to-Aruna-instance-API-endpoint>/v2/service_accounts/{svc-account-id}/tokens/{token-id}
1234
# Native JSON request to fetch information of all service account tokens
curl-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XGEThttps://<URL-to-Aruna-instance-API-endpoint>/v2/service_accounts/{svc-account-id}/tokens
1 2 3 4 5 6 7 8 91011121314
// Create tonic/ArunaAPI request to fetch information of a single specific service account tokenletrequest=GetServiceAccountTokenRequest{svc_account_id:"<svc_account_id>".to_string(),token_id:"<token_id>".to_string(),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.get_service_account_token(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 910111213
// Create tonic/ArunaAPI request to fetch information of all service account tokensletrequest=GetServiceAccountTokensRequest{svc_account_id:svc_account_id.to_string(),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.get_service_account_tokens(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 91011
# Create tonic/ArunaAPI request to fetch information of a single specific service account tokenrequest=GetServiceAccountTokenRequest(svc_account_id="<svc-account-id>",token_id="<token-id>")# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.GetServiceAccountToken(request=request)# Do something with the responseprint(f'{response}')
1 2 3 4 5 6 7 8 910
# Create tonic/ArunaAPI request to fetch information of all service account tokensrequest=GetServiceAccountTokensRequest(svc_account_id="<svc-account-id>",)# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.GetServiceAccountTokens(request=request)# Do something with the responseprint(f'{response}')
Delete service account token(s)
API examples of how to delete one or multiple service account tokens.
Required permissions
Deletion of service account tokens requires at least ADMIN permissions on the resource the service account has set its permission on.
1234
# Native JSON request to delete a single specific service account token
curl-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XDELETEhttps://<URL-to-Aruna-instance-API-endpoint>/v2/service_accounts/{svc-account-id}/tokens/{token-id}
1234
# Native JSON request to delete all service account tokens
curl-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XDELETEhttps://<URL-to-Aruna-instance-API-endpoint>/v2/service_accounts/{svc-account-id}/tokens
1 2 3 4 5 6 7 8 91011121314
// Create tonic/ArunaAPI request to delete a single specific service account tokenletrequest=DeleteServiceAccountTokenRequest{svc_account_id:"<svc_account_id>".to_string(),token_id:"<token_id>".to_string(),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.delete_service_account_token(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 910111213
// Create tonic/ArunaAPI request to delete all service account tokensletrequest=DeleteServiceAccountTokensRequest{svc_account_id:svc_account_id.to_string(),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.delete_service_account_tokens(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 91011
# Create tonic/ArunaAPI request to delete a single specific service account tokenrequest=DeleteServiceAccountTokenRequest(svc_account_id="<svc-account-id>",token_id="<token-id>")# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.DeleteServiceAccountToken(request=request)# Do something with the responseprint(f'{response}')
1 2 3 4 5 6 7 8 910
# Create tonic/ArunaAPI request to delete all service account tokensrequest=DeleteServiceAccountTokensRequest(svc_account_id="<svc-account-id>",)# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.DeleteServiceAccountTokens(request=request)# Do something with the responseprint(f'{response}')
Add trusted endpoint to service account
API examples of how to add a data proxy to the trusted endpoints list of a service account.
This registers the service account at the data proxy and enables up- and downloads.
Required permissions
Adding a trusted endpoint requires at least ADMIN permissions on the resource the service account has set its permission on.
12345678
# Native JSON request to add a trusted endpoint to the service account
curl-d' { "endpointId": "<endpoint-id>" }'\ -H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XPOSThttps://<URL-to-Aruna-instance-API-endpoint>/v2/service_accounts/{svc-account-id}/trusted_endpoints
1 2 3 4 5 6 7 8 91011121314
// Create tonic/ArunaAPI request to add a trusted endpoint to the service accountletrequest=AddTrustedEndpointsSvcAccountRequest{svc_account_id:"<svc_account_id>".to_string(),endpoint_id:"<endpoint_id>".to_string(),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.add_trusted_endpoints_svc_account(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 91011
# Create tonic/ArunaAPI request to delete a single specific service account tokenrequest=AddTrustedEndpointsSvcAccountRequest(svc_account_id="<svc-account-id>",endpoint_id="<endpoint-id>")# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.AddTrustedEndpointsSvcAccount(request=request)# Do something with the responseprint(f'{response}')
Get service account S3 credentials
API examples of how to get S3 credentials for a service account from a specific DataProxy.
Required permissions
Fetching S3 credentials requires at least ADMIN permissions on the resource the service account has set its permission on.
1234
# Native JSON request to fetch S3 credentials for the Aruna server instance default DataProxy
curl-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XGEThttps://<URL-to-Aruna-instance-API-endpoint>/v2/user/s3_credentials/{svcAccountId}/s3_credentials/{endpointId}
1 2 3 4 5 6 7 8 91011121314
// Create tonic/ArunaAPI request fetch S3 credentials for the Aruna server instance default DataProxyletrequest=GetS3CredentialsSvcAccountRequest{svc_account_id:"<svc-account-id>".to_string(),endpoint_id:"".to_string(),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.get_s3_credentials_svc_account(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 91011121314
// Create tonic/ArunaAPI request to fetch S3 credentials for a specific DataProxyletrequest=GetS3CredentialsSvcAccountRequest{svc_account_id:"<svc-account-id>".to_string(),endpoint_id:"<endpoint-id>".to_string(),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.get_s3_credentials_svc_account(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 910
# Create tonic/ArunaAPI request to fetch S3 credentials for the Aruna server instance default DataProxyrequest=GetS3CredentialsSvcAccountRequest(svc_account_id="<svc-account-id>")# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.GetS3CredentialsSvcAccount(request=request)# Do something with the responseprint(f'{response}')
1 2 3 4 5 6 7 8 91011
# Create tonic/ArunaAPI request to fetch S3 credentials for a specific DataProxyrequest=GetS3CredentialsSvcAccountRequest(svc_account_id="<svc-account-id>",endpoint_id="<endpoint-id>")# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.GetS3CredentialsSvcAccount(request=request)# Do something with the responseprint(f'{response}')
Remove service account S3 credentials
API examples of how to remove S3 credentials from a service account.
Required permissions
Service account deletion requires at least ADMIN permissions on the resource the service account has set its permission on.
1234
# Native JSON request to remove S3 credentials from a service account
curl-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XPATCHhttps://<URL-to-Aruna-instance-API-endpoint>/v2/user/s3_credentials/{svcAccountId}/s3_credentials/{endpointId}/revoke
1 2 3 4 5 6 7 8 91011121314
// Create tonic/ArunaAPI request to remove S3 credentials from a service accountletrequest=DeleteS3CredentialsSvcAccountRequest{svc_account_id:"<svc-account-id>".to_string(),endpoint_id:"<endpoint-id>".to_string(),};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.delete_s3_credentials_svc_account(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 91011
# Create tonic/ArunaAPI request to remove S3 credentials from a service accountrequest=DeleteS3CredentialsSvcAccountRequest(svc_account_id="<svc-account-id>"endpoint_id="<endpoint-id>")# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.DeleteS3CredentialsSvcAccount(request=request)# Do something with the responseprint(f'{response}')
Delete service account
API examples of how to delete a service account.
Required permissions
Service account deletion requires at least ADMIN permissions on the resource the service account has set its permission on.
1234
# Native JSON request to delete a service account
curl-H'Authorization: Bearer <AUTH_TOKEN>'\-H'Content-Type: application/json'\-XDELETEhttps://<URL-to-Aruna-instance-API-endpoint>/v2/service_accounts/{svc-account-id}
1 2 3 4 5 6 7 8 910111213
// Create tonic/ArunaAPI request to delete a service accountletrequest=DeleteServiceAccountRequest{svc_account_id:"<svc_account_id>".to_string()};// Send the request to the Aruna instance gRPC endpointletresponse=self.service_account_client.delete_service_account(request).await.unwrap().into_inner();// Do something with the responseprintln!("{:#?}",response);
1 2 3 4 5 6 7 8 910
# Create tonic/ArunaAPI request to delete a service accountrequest=DeleteServiceAccountTokenRequest(svc_account_id="<svc-account-id>")# Send the request to the Aruna instance gRPC endpointresponse=client.service_account_client.DeleteServiceAccount(request=request)# Do something with the responseprint(f'{response}')