Skip to content

Service accounts#

Viewing service accounts in Neptune workspace settings

To automate and enhance your workflow, you can create service accounts in your team workspace. This way you can have multiple API tokens or non-user tokens in your setup.

Service accounts are a special type of non-human privileged account. You can use them for automated processes, such as training pipelines and report generation, instead of maintaining user accounts for this purpose.

Why create a service account?#

Anything that is shared or automated is a good candidate for a service account. You can instantly revoke a service account's API token in the workspace settings, which helps improve the security of your setup.

Service accounts are also good for scoping permissions. They can have lower permission levels and access to only the projects they need.

What to use service accounts for

  • Your shared training/evaluation pipeline. By deactivating a service account, you ensure that its API token can no longer be used.
  • CI/CD servers that do something like validating models marked for staging.
  • Monitoring services that regularly check how models behave.

Creating a service account#

The name of a service account ends with @workspace-name.

Example: If you create a service account "report-generation" in a workspace called "ml-team", the service account name will be report-generation@ml-team.

To create a new service account:

  1. In the top-left of the Neptune app, click your workspace name to expand the settings menu.
  2. Select Service accounts to get started.
  3. If you didn't grant access to all projects at creation, assign the service account to each project it should have access to.

Note

A service account cannot access projects with "workspace" visibility. It must be explicitly assigned to a project to be able to access it.

Managing service accounts#

Workspace admins and project owners can do the following:

  • Access service account settings
  • Add a service account to a project
  • Remove a service account from a project
  • Change the service account role within a project

Only workspace admins can access and manage the Neptune API tokens of service accounts. If the service account is reactivated after being deactivated, the API token is refreshed.

Related

You can also managage service accounts through the management API.

Most of the management operations can themselves be performed by service accounts.

Limitations#

  • You can have up to 50 service accounts per workspace.
  • A service account can't access a project without being specifically assigned to it, even if the project visibility is set to "workspace".

  • Service accounts can't delete projects or have the workspace admin role. As such, service accounts cannot use the following functions from the management API:

    Otherwise, service accounts can perform project actions according to their permissions.

Related