Service accounts for Polaris

Learn how to create and manage service accounts for Polaris.

Overview

Service accounts are a type of account used to perform automated tasks on behalf of a user or application. They are typically used in scenarios where a user is not present to provide authentication, such as in CI/CD pipelines or automated scripts.

Service accounts have their own set of credentials (tokens) that can be used for authentication.

In Polaris, service accounts are managed by Organization Administrators, who can create and delete service accounts as needed.

Important: At this time, service accounts can only be managed using the API endpoints described on this page. Only Organization Administrators can complete these tasks.

Service account token expiration

Service account tokens expire after one year from the creation date, and will also expire if unused for 30 days. You'll need to create new tokens before expiration to ensure your automated processes continue to function without interruption.

Monitor service account usage

Organization Administrators can monitor service account activity on the Audit Logs page (My Organization > Audit Logs). When an action is performed using a service account token, the service account's friendly name appears in the Token Name column. Select Service Account Tokens using the Event Type dropdown to view events related to service accounts.

Using service account tokens

Service account tokens function identically to user access tokens for authentication purposes. After you create a service account and assign it a global or application-level role, you can use the service account's token for:

  • Authentication in requests made to Polaris APIs.
  • Authentication in CI pipelines that use the Bridge CLI (and Black Duck Security Scan plugins).
Note: Service account tokens can be used wherever access tokens are used.

Create a service account

To create a service account, follow these steps:

  1. Send a POST request to the /api/auth/service-account-tokens endpoint. 
    curl --location 'https://polaris.blackduck.com/api/auth/service-account-tokens' \
--header 'accept: application/vnd.polaris.auth.service-account-token-1+json' \
--header 'Content-Type: application/vnd.polaris.auth.service-account-token-1+json' \
--header 'Api-Token: {polarisAccessToken}' \
--data '{
  "name": "exampleServiceAccount"
}'

    Include the name of the service account in the request body.

    Note: Service account names must be between 3 and 255 characters long.

    The response contains the service account's ID (token ID) and token.

    {
    "id": "04f59be3-de78-4c2a-bfed-22fabc6975da",
    "token": "{token}",
    "name": "exampleServiceAccount",
    "expiryDate": "2026-09-16T18:44:01.687Z",
    "lastAccessed": null,
    "_type": "service-account-token",
    "_links": [
        {
            "href": "https://polaris.blackduck.com/service-account-tokens/04f59be3-de78-4c2a-bfed-22fabc6975da",
            "rel": "self",
            "method": "GET"
        }
    ]
}
  2. Store the service account's ID and token securely.
    Important: The service account's token is only returned when the account is created, and cannot be retrieved later on. Service account tokens automatically expire one year after creation, and will also expire if unused for 30 days.

    Today, there's no way to retrieve a list of service accounts and their IDs (but this will be available in a future update). For now, make sure you save the service account's ID. You'll need it in subsequent steps.

By default, service accounts are created without permissions. Before the account can be used, you must assign it a role. See Assign a role to a service account for more information.

Assign a role to a service account

To grant a service account access to all of the applications in your portfolio, assign the service account a global (organization-level) role.

Alternatively, you can grant a service account access to specific applications in your portfolio, and assign the service account an application-level role (including custom roles) for each application.

Note: Use application-level roles for finer-grained control of what a service account can do. Find the default permissions assigned to different roles here: Roles and permissions.

Assign a global role to a service account

To assign a global role to a service account, follow these steps:

  1. Get a list of global roles and their IDs using the GET /api/auth/roles endpoint. 
    curl --location 'https://polaris.blackduck.com/api/auth/roles' \
--header 'accept-type: application/vnd.polaris.auth.roles-1+json' \
--header 'Api-Token: {polarisAccessToken}'

    The response contains available global roles, and includes role names and IDs. Note the ID of the global role you want to assign to the service account, which will be used in the next step.

    {
    "_items": [
        {
            "_links": [
                {
                    "href": "https://polaris.blackduck.com/api/roles/b62fb0cb-71c3-4189-9850-1374fb2cb71c",
                    "rel": "self",
                    "method": "GET"
                }
            ],
            "_type": "role",
            "name": "administrator",
            "displayName": "Organization Administrator",
            "id": "b62fb0cb-71c3-4189-9850-1374fb2cb71c",
            "isClientRole": false,
            "attributes": {
                "isPublic": [
                    "true"
                ]
            }
        },
        {
            "_links": [
                {
                    "href": "https://polaris.blackduck.com/api/roles/94fedd54-3765-41b5-98f2-734efaaad81b",
                    "rel": "self",
                    "method": "GET"
                }
            ],
            "_type": "role",
            "name": "application-manager",
            "displayName": "Application Manager",
            "id": "94fedd54-3765-41b5-98f2-734efaaad81b",
            "isClientRole": false,
            "attributes": {
                "isPublic": [
                    "true"
                ]
            }
        }
    ],
    "_links": [
        {
            "href": "https://polaris.blackduck.com/api/roles?_limit=100&_offset=0",
            "rel": "self",
            "method": "GET"
        },
        {
            "href": "https://polaris.blackduck.com/api/roles?_limit=100&_offset=0",
            "rel": "first",
            "method": "GET"
        }
    ],
    "_collection": {
        "currentPage": 1,
        "_type": "role",
        "hasNextPage": false
    }
}
  2. Assign a global role to the service account using the PUT /api/auth/service-account-tokens/{tokenId}/organization-roles/{roleId} endpoint. 
    curl --location --request PUT 'https://polaris.blackduck.com/api/auth/service-account-tokens/04f59be3-de78-4c2a-bfed-22fabc6975da/organization-roles/94fedd54-3765-41b5-98f2-734efaaad81b' \
--header 'accept: */*' \
--header 'Api-Token: {polarisAccessToken}'

    Where:

    • The service account ID (token ID) is passed as a path parameter, after service-account-tokens/.
    • The ID of the global role is passed as a path parameter, after organization-roles/.
      Important: Once a global role is assigned to a service account, it cannot be removed. To revoke a global role from a service account, you must delete the service account and create a new one. If necessary, both global roles can be assigned to a service account at the same time.

    A successful assignment will return a 204 No Content response.

Assign application-level roles to a service account

To assign an application-level role to a service account, follow these steps:
  1. Get the IDs of applications you wish to grant the service account access to using the GET /api/{portfolioId}/applications endpoint. 
    curl --location 'https://polaris.blackduck.com/api/portfolios/d9656ded-eae0-43ed-af1c-4781b8b7345e/applications' \
--header 'accept: application/vnd.polaris.portfolios.applications-1+json' \
--header 'Api-Token: {polarisAccessToken}'

    The response includes the names and IDs of applications in your portfolio. Note the IDs of the applications you wish to grant the service account access to, which will be used in a later step.

    {
    "_items": [
        {
            "id": "918d2744-8531-4cc0-bb1c-d3d51974d210",
            "name": "Example application 1",
            "description": null,
            "subscriptionTypeUsed": "CONCURRENT",
            "portfolioId": "d9656ded-eae0-43ed-af1c-4781b8b7345e",
            "inTrash": false,
            "createdAt": "2025-04-17 10:56:00",
            "updatedAt": "2025-09-11 11:31:41",
            "autoDeleteSetting": false,
            "branchRetentionPeriodSetting": 30,
            "autoDeleteSettingsCustomized": false,
            "riskScore": 0,
            "riskFactorMapping": {}
        },
        {
            "id": "fd95b829-e7cb-4d0d-94a1-fcfe6cbdbcd1",
            "name": "Example application 2",
            "description": null,
            "subscriptionTypeUsed": "CONCURRENT",
            "portfolioId": "d9656ded-eae0-43ed-af1c-4781b8b7345e",
            "inTrash": false,
            "createdAt": "2024-07-18 11:32:26",
            "updatedAt": "2024-07-18 11:32:26",
            "autoDeleteSetting": false,
            "branchRetentionPeriodSetting": 30,
            "autoDeleteSettingsCustomized": false,
            "riskScore": 0,
            "riskFactorMapping": {}
        },
        
        [...]
        
    ],
    "_links": [
        {
            "href": "https://polaris.blackduck.com/api/portfolios/d9656ded-eae0-43ed-af1c-4781b8b7345e/applications?_offset=0&_limit=100",
            "rel": "first",
            "method": "GET"
        },
        {
            "href": "https://polaris.blackduck.com/api/portfolios/d9656ded-eae0-43ed-af1c-4781b8b7345e/applications?_offset=0&_limit=100",
            "rel": "last",
            "method": "GET"
        },
        {
            "href": "https://polaris.blackduck.com/api/portfolios/d9656ded-eae0-43ed-af1c-4781b8b7345e/applications?_offset=0&_limit=100",
            "rel": "self",
            "method": "GET"
        }
    ],
    "_collection": {
        "itemCount": 11,
        "currentPage": 1,
        "pageCount": 1
    }
}
  2. Get the IDs of the application-level roles in your organization using the GET /api/auth/resources/applications/roles endpoint. 
    curl --location 'https://polaris.blackduck.com/api/auth/resources/applications/roles' \
--header 'accept: application/vnd.polaris.auth.application-role-1+json' \
--header 'Api-Token: {polarisAccessToken}'

    The response contains available application-level roles, including their IDs and names. Note the IDs of the roles you want to assign to your service account, which will be used in the next step.

    {
    "_items": [
        {
            "id": "fceece4e-3a97-4e0c-acc9-84167475244b",
            "name": "administrator",
            "displayName": "Administrator",
            "_type": "application-role",
            "_links": []
        },
        {
            "id": "02b87d59-6e8c-4a53-ba77-f4b67ea71771",
            "name": "contributor",
            "displayName": "Contributor",
            "_type": "application-role",
            "_links": []
        },
        {
            "id": "c24107a7-bdc6-451b-8c5b-4dab0c9e9573",
            "name": "member",
            "displayName": "Member",
            "_type": "application-role",
            "_links": []
        },
        {
            "id": "32251ee5-1232-4dc8-a61d-f480fc6a66fa",
            "name": "observer",
            "displayName": "Observer",
            "_type": "application-role",
            "_links": []
        },
        {
            "id": "4e3e56a4-002d-485b-8a0c-23520cbf9b2b",
            "name": "example-custom-role",
            "displayName": "Example Custom Role",
            "_type": "application-role",
            "_links": []
        }
    ],
    "_links": [
        {
            "href": "https://polaris.blackduck.com/resources/applications/roles",
            "rel": "self",
            "method": "GET"
        }
    ],
    "_collection": {
        "_type": "application-role"
    }
}
  3. Grant the service account access to one or more applications using the PUT /api/auth/service-account-tokens/{tokenId}/applications endpoint. 
    curl --location --request PUT 'https://polaris.blackduck.com/api/auth/service-account-tokens/04f59be3-de78-4c2a-bfed-22fabc6975da/applications' \
--header 'accept: */*' \
--header 'Content-Type: application/vnd.polaris.auth.service-account-token-1+json' \
--header 'Api-Token: {polarisAccessToken}' \
--data '{
  "assignments": [
    {
      "roleId": "02b87d59-6e8c-4a53-ba77-f4b67ea71771",
      "applicationId": "918d2744-8531-4cc0-bb1c-d3d51974d210"
    },
    {
      "roleId": "4e3e56a4-002d-485b-8a0c-23520cbf9b2b",
      "applicationId": "fd95b829-e7cb-4d0d-94a1-fcfe6cbdbcd1"
    }
  ]
}'

    Where:

    • The service account ID is passed as a path parameter, after service-account-tokens/.
    • Combinations of application-level role IDs and application IDs are passed as a JSON array in the request body.
    Important: This request will completely replace any existing application role assignments with the new ones specified in the request body.

    A successful assignment will return a 204 No Content response.

Get a service account's metadata

Get a service account's metadata using the GET /api/auth/service-account-tokens/{tokenId} endpoint.

curl --location 'https://polaris.blackduck.com/api/auth/service-account-tokens/04f59be3-de78-4c2a-bfed-22fabc6975da' \
--header 'accept: application/vnd.polaris.auth.service-account-token-1+json' \
--header 'Api-Token: {polarisAccessToken}'

The service account ID (token ID) is passed as a path parameter, after service-account-tokens/.

The response will include details about the token, including its expiration date.

{
    "id": "04f59be3-de78-4c2a-bfed-22fabc6975da",
    "name": "exampleServiceAccount",
    "expiryDate": "2026-09-16T18:44:01.687Z",
    "lastAccessed": null,
    "_type": "service-account-token",
    "_links": [
        {
            "href": "https://polaris.blackduck.com/service-account-tokens/04f59be3-de78-4c2a-bfed-22fabc6975da",
            "rel": "self",
            "method": "GET"
        }
    ]
}

Delete a service account

To delete a service account, follow these steps:

Delete a service account using the DELETE /api/auth/service-account-tokens/{tokenId} endpoint.
CAUTION: Deleted service accounts cannot be recovered.
curl --location --request DELETE 'https://polaris.blackduck.com/api/auth/service-account-tokens/04f59be3-de78-4c2a-bfed-22fabc6975da' \
--header 'accept: */*' \
--header 'Api-Token: {polarisAccessToken}'

The service account ID (token ID) is passed as a path parameter, after service-account-tokens/.

A successful delete operation will return a 204 No Content response.