Skip to main content
Manages a Kosli service account. Service accounts are non-human identities used to authenticate automation (such as CI/CD pipelines) against the Kosli API. API keys for a service account are managed separately via the kosli_service_account_api_key resource.
Service accounts cannot be created in personal organizations. Only organization admins or the user who created the service account can manage it.
Use this resource to manage the lifecycle of a service account. To mint API keys, use the kosli_service_account_api_key resource. To look up an existing service account’s metadata, use the kosli_service_account data source.

Example usage

terraform {
  required_providers {
    kosli = {
      source = "kosli-dev/kosli"
    }
  }
}

# Service account for a CI/CD pipeline
resource "kosli_service_account" "ci" {
  name        = "ci-pipeline"
  description = "CI/CD pipeline service account"
  privilege   = "member"
}

# Read-only service account (e.g. for dashboards)
resource "kosli_service_account" "dashboard" {
  name      = "dashboard-readonly"
  privilege = "reader"
}

Privileges

The privilege attribute must be one of the following:
  • admin — Full administrative access
  • member — Standard read/write access
  • snapshotter — May report environment snapshots
  • reader — Read-only access
You can only create a service account with a privilege equal to or lower than your own.

Import

Service accounts can be imported using their name:
# Import an existing service account by name
terraform import kosli_service_account.ci ci-pipeline

Managing API keys

To mint API keys for a service account, use the kosli_service_account_api_key resource. To look up an existing service account’s metadata, use the kosli_service_account data source.

Schema

Required

  • name (String) Name of the service account. Must be unique within the organization, contain only alphanumeric characters and hyphens (^[a-zA-Z0-9\-]+$), and be at most 64 characters. Changing this will force recreation of the resource.
  • privilege (String) Privilege (role) granted to the service account within the organization. Valid values: admin, member, snapshotter, reader. You can only create a service account with a privilege equal to or lower than your own.

Optional

  • description (String) Free-form description of the service account.

Read-only

  • created_at (String) RFC3339 UTC timestamp of when the service account was created.
  • creating_user_id (String) Identifier of the user who created the service account.
  • display_name (String) Display name of the service account, assigned by the server.
  • for_webhook (Boolean) Whether the service account was created for webhook usage.
Last modified on July 10, 2026