- List service account users
- Create a service account user
- Delete a service account user
- Create a personal access token for a service account user
- Rotate a personal access token for a service account user
Group service accounts
Interact with service accounts by using the REST API.
Prerequisites:
- You must be an administrator of the self-managed instance, or have the Owner role for the GitLab.com group.
List service account users
- Introduced in GitLab 17.1.
Lists all service account users that are provisioned by group.
This function takes pagination parameters page
and per_page
to restrict the list of users.
GET /groups/:id/service_accounts
Parameters:
Attribute | Type | Required | Description |
---|---|---|---|
id
| integer/string | yes | The ID or URL-encoded path of the target group. |
order_by
| string | no | Orders list of users by username or id . Default is id .
|
sort
| string | no | Specifies sorting by asc or desc . Default is desc .
|
Example request:
curl --request GET --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/345/service_accounts"
Example response:
[
{
"id": 57,
"username": "service_account_group_345_<random_hash>",
"name": "Service account user"
},
{
"id": 58,
"username": "service_account_group_346_<random_hash>",
"name": "Service account user"
}
]
Create a service account user
- Introduced in GitLab 16.1.
- Ability to specify a username or name was introduced in GitLab 16.10.
Creates a service account user.
This API endpoint works on top-level groups only. It does not work on subgroups.
POST /groups/:id/service_accounts
Supported attributes:
Attribute | Type | Required | Description |
---|---|---|---|
id
| integer/string | yes | The ID or URL-encoded path of the target group. |
name
| string | no | The name of the user. If not specified, the default Service account user name is used.
|
username
| string | no | The username of the user. If not specified, it’s automatically generated. |
Example request:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/345/service_accounts"
Example response:
{
"id": 57,
"username": "service_account_group_345_6018816a18e515214e0c34c2b33523fc",
"name": "Service account user"
}
Delete a service account user
- Introduced in GitLab 17.1.
Deletes a service account user.
This API endpoint works on top-level groups only. It does not work on subgroups.
DELETE /groups/:id/service_accounts/:user_id
Parameters:
Attribute | Type | Required | Description |
---|---|---|---|
id
| integer/string | yes | The ID or URL-encoded path of the target group. |
user_id
| integer | yes | The ID of a service account user. |
hard_delete
| boolean | no | If true, contributions that would usually be moved to a Ghost User are instead deleted, as well as groups owned solely by this service account user. |
Example request:
curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/345/service_accounts/181"
Create a personal access token for a service account user
- Introduced in GitLab 16.1.
This API endpoint works on top-level groups only. It does not work on subgroups.
POST /groups/:id/service_accounts/:user_id/personal_access_tokens
Parameters:
Attribute | Type | Required | Description |
---|---|---|---|
id
| integer/string | yes | The ID or URL-encoded path of the target group. |
user_id
| integer | yes | The ID of a service account user. |
name
| string | yes | The name of the personal access token. |
scopes
| array | yes | Array of scopes of the personal access token. See personal access token scopes for possible values. |
expires_at
| date | no | The personal access token expiry date. When left blank, the token follows the standard rule of expiry for personal access tokens. To specify no expiration date, set this value to null .
|
Example request:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/35/service_accounts/71/personal_access_tokens" --data "scopes[]=api,read_user,read_repository" --data "name=service_accounts_token"
Example response:
{
"id":6,
"name":"service_accounts_token",
"revoked":false,
"created_at":"2023-06-13T07:47:13.900Z",
"scopes":["api"],
"user_id":71,
"last_used_at":null,
"active":true,
"expires_at":"2024-06-12",
"token":"<token_value>"
}
Rotate a personal access token for a service account user
- Introduced in GitLab 16.1.
This API endpoint works on top-level groups only. It does not work on subgroups.
POST /groups/:id/service_accounts/:user_id/personal_access_tokens/:token_id/rotate
Parameters:
Attribute | Type | Required | Description |
---|---|---|---|
id
| integer/string | yes | The ID or URL-encoded path of the target group. |
user_id
| integer | yes | The ID of the service account user. |
token_id
| integer | yes | The ID of the token. |
Example request:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/35/service_accounts/71/personal_access_tokens/6/rotate"
Example response:
{
"id":7,
"name":"service_accounts_token",
"revoked":false,
"created_at":"2023-06-13T07:54:49.962Z",
"scopes":["api"],
"user_id":71,
"last_used_at":null,
"active":true,
"expires_at":"2023-06-20",
"token":"<token_value>"
}