Create a Service Account

On this page

Resource

Request Path Parameters
Request Query Parameters
Request Body Parameters
Response
Example Request
Example Response
Response Header
Response Body

Cloud Manager will no longer support Automation, Backup, and Monitoring for MongoDB 3.6 and 4.0 after August 30th, 2024. Please upgrade your MongoDB deployment or migrate to Atlas.

OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.: The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.

Base URL: https://cloud.mongodb.com/api/public/v1.0

Resource

POST /orgs/{ORG-ID}/serviceAccounts

Request Path Parameters

Name	Type	Description
`ORG-ID`	string	Unique identifier for the organization that you want to create a service account for. Use the /orgs endpoint to retrieve all organizations to which the authenticated user has access.

Request Query Parameters

The following query parameters are optional:

Name

Type

Description

Default

pageNum

integer

Page number (1-index based).

1

itemsPerPage

integer

Number of items to return per page, up to a maximum of 500.

100

pretty

boolean

Indicates whether the response body should be in a prettyprint format.

false

envelope

boolean

Indicates whether or not to wrap the response in an envelope.

Some API clients cannot access the HTTP response headers or status code. To remediate this, set "envelope" : true in the query.

For endpoints that return one result, response body includes:

Name	Description
`status`	HTTP response code
`content`	Expected response body

For endpoints that return a list of results, the results object is an envelope. Cloud Manager adds the status field to the response body.

None

Request Body Parameters

All body parameters are required.

Name

Type

Description

name

string

Name of the service account. Accepted characters are A-Z, a-z, 0-9, space, period ., apostrophe ', comma ,, underscore _, and dash -.

description

string

Description of the service account. Must be between 1 and 250 characters in length. Accepted characters are A-Z, a-z, 0-9, space, period ., apostrophe ', comma ,, underscore _, and dash -.

secretExpiresAfterHours

string

Number of hours after which the secret for this service account expires. The maximum is one year (8766 hours).

roles

string array

List of roles that the service account should have. There must be at least one role listed, and all roles must be valid for an Organization.

Organization roles include:

Role Value in API	Role
`ORG_OWNER`	`Organization Owner`
`ORG_MEMBER`	`Organization Member`
`ORG_GROUP_CREATOR`	`Organization Project Creator`
`ORG_BILLING_ADMIN`	`Organization Billing Admin`
`ORG_READ_ONLY`	`Organization Read Only`
`ORG_BILLING_READ_ONLY`	`Organization Billing Viewer`

Response

Name	Type	Description
`clientId`	string	Unique identifier for the service account.
`description`	string	Description of the service account. Accepted characters are `A-Z`, `a-z`, `0-9`, space, period `.`, apostrophe `'`, comma `,`, underscore `_`, and dash `-`.
`name`	string	Name of the service account. Accepted characters are `A-Z`, `a-z`, `0-9`, space, period `.`, apostrophe `'`, comma `,`, underscore `_`, and dash `-`.
`createdAt`	timestamp	Service account creation time.
`secrets`	object array	List of service account secrets.
`secrets.id`	string	Unique 24-hexadecimal character string that identifies the secret.
`secrets.secret`	string	Service account secret, available only at creation.
`secrets.maskedSecretValue`	string	Masked secret that only displays the prefix and last four characters.
`secrets.createdAt`	timestamp	Timestamp representing secret creation time.
`secrets.lastUsedAt`	timestamp	Timestamp representing last secret usage.
`secrets.expiresAt`	timestamp	Timestamp representing secret expiration time.
`roles`	object array	Roles that the service account has in the organization. Organization roles include: `ORG_OWNER` `ORG_MEMBER` `ORG_GROUP_CREATOR` `ORG_BILLING_ADMIN` `ORG_READ_ONLY` `ORG_BILLING_READ_ONLY`

Example Request

Note

The user who makes the request can be formatted as {PUBLIC-KEY}:{PRIVATE-KEY}.

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     --request POST "https://cloud.mongodb.com/api/public/v1.0/orgs/{ORG-ID}/serviceAccounts?pretty=true" \
     --data '{
      "name": "Billing",
      "description": "Service account for users in finance.",
      "secretExpiresAfterHours": 3600,
      "roles": ["ORG_MEMBER", "ORG_BILLING_ADMIN"]
     }'

Example Response

Response Header

HTTP/1.1 401 Unauthorized
Content-Type: application/json;charset=ISO-8859-1
Date: {dateInUnixFormat}
WWW-Authenticate: Digest realm="MMS Public API", domain="", nonce="{nonce}", algorithm=MD5, op="auth", stale=false
Content-Length: {requestLengthInBytes}
Connection: keep-alive

HTTP/1.1 201 Created
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Connection: keep-alive
Content-Length: {requestLengthInBytes}
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}

Response Body

Note

The secret is unredacted in the response body. This example is redacted for security purposes.

{
  "createdAt" : "2024-08-02T18:07:25Z",
  "description" : "Service account for users in finance.",
  "clientId" : "mdb_sa_id_66ad205d181fc82b21b336e3",
  "name" : "Billing",
  "roles" : [ "ORG_MEMBER", "ORG_BILLING_ADMIN" ],
  "secrets" : [ {
    "createdAt" : "2024-08-02T18:07:25Z",
    "expiresAt" : "2024-12-30T18:07:24Z",
    "id" : "66ad205d181fc82b21b336e2",
    "secret" : "mdb_sa_sk_***********************************3Yylw"
  } ]
}

Back

Get All Assignments

Update