Service Accounts

A service account is used to provide the credentials needed for generating an access token. You also assign roles to service accounts to identify what API actions they can take.

Before you create a service account, you must have created at least one TSG. The service account is added as a user to that TSG.

There are two ways to create a service account:

• By using the Prisma SASE Platform user interface.

  To do this, follow the procedure described in Add a Service Account through the Prisma SASE Platform.

• By using the Identity and Access Management APIs.

  To create a service account using the Identity and Access Management API, you must have already created at least one service account using the User Interface, and then obtained an access token for that account.

  To create a service account using the Identity and Access Management API, use the create a Service Account API. The Client ID and Client Secret for this account is returned in the response payload:

    {
    "id": "xxxxxxxxxxxxxxxxxxxxx",
    "name": "xxxxxxxxxx",
    "tsg_id": "1111111111",
    "contact_email": "user@example.com",
    "identity_email": "xxxxxxxxxx@1111111111.iam.panServiceAccounts.com",
    "description": "Some descriptive text",
    "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxx"
    }

  Be aware that the new service account is created within the tenant service group (TSG) that is identified in the access token used on the request to create the service account. If you don't want to use your root TSG for this purpose, create a new TSG before you create your service account.

Regardless of the method that you use to create a service account, be sure to record the Client Secret because you can't get it again after the account has been created.