Service Accounts

A service account is a special kind of non-human account for applications, services, or virtual machines (VMs) to securely interact with other systems or APIs. Service accounts operate in the background, without user interaction.

For example, to programmatically download logs from Kloudfuse for analysis or archival, create a service account with specific permissions and use it to access the Kloudfuse API. Follow these steps:

  1. Create a service account with a specific role: *Viewer*, *Editor*, or *Admin*.

  2. Attach a policy to limit access.

    For example, a policy {kube_namespace="prometheus"} grants log access to the Prometheus namespace, only.

  3. Create an API token with an expiration date.

  4. Use the token as a Bearer token in API calls to get and download logs.

Advantages

Automation

Service accounts are purpose-built for automation, to be used by software, not people.

Continuous Integration and Deployment

They are ideal for CI/CD pipelines, background jobs, or apps that access cloud services.

Authentication and Authorization

Service accounts have their own credentials (keys, tokens, or certificates).

Permissions

You can add specific permissions (roles or scopes) to limit access to only what the service account requires.

Security

Service accounts provide secure, auditable access to APIs without exposing user credentials.

Follow these steps to get to the Service Accounts interface:

  1. Click the Admin tab, and then the Service Accounts option in the drop-down menu.

    navigate to service accounts list

  2. The Service Accounts interface appears.

Using the Service Accounts interface

The Service Accounts interface has the following information and affordances:

Create a Service Account

Service Accounts List

To create a service account, follow these steps:

  1. Click Create new service account (Create new service account).

    service accounts create go

  2. The Create new service account interface appears.

    service accounts create new

  3. Specify the new service account:

    service accounts create new create
    Account name

    Specify the name of the service account.

    Owner email

    Specify the email that corresponds to the service account.

    Role

    Specify the role for the service account: Viewer, Editor, or Admin.

  4. Click Create (Create).

  5. Kloudfuse confirms that you successfully created a service account.

Examples

Using Service Accounts to Download Logs

To create and use a service account for retrieving logs from Kloudfuse, follow these steps:

Step 1 Create a Service Account

  1. Navigate to Admin → Service Accounts.

  2. Click "Create new service account".

  3. Specify the parameters:

    Account name

    log-downloader

    Owner email

    automation@example.com

    Role

    Viewer (sufficient for read-only access to logs)

  4. Click Create.

Step 2 Attach a Policy

After creating the service account, attach a policy to constrain the access of the service account to its intended purpose"

  1. Click on the service account name.

  2. Add a policy to restrict access, For example:

    {kube_namespace="prometheus"}

    Grant log access to the Prometheus namespace, only.

    {kube_namespace="dd-trace-example"}

    Grant log access to the dd-trace-example namespace, only

Step 3 Create an API Token

  1. In the service account details, click "Create Token".

  2. Set an expiration date. For example, 30 days, 90 days, or 1 year.

  3. Copy the generated token, such as glsa_vutX2rJ080fLHNaZISAFqmJHCBNxn6l8_5b746423.

  4. Save and store the token securely, because you cannot see it again.

Step 4 Use the token in API Calls

Use the service account token to access Kloudfuse APIs.

Example: Use the logs download API with Service Account
export TOKEN="glsa_vutX2rJ080fLHNaZISAFqmJHCBNxn6l8_5b746423" (1)

curl 'https://pisco.kloudfuse.io/query' \  (2)
  -H 'accept: */*' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'baggage: sentry-environment=pisco.kloudfuse.io,sentry-release=3777701,sentry-public_key=62bfbfd50ed8a3e598645f272699c9ac,sentry-trace_id=6eae349b8c0343169d195d61cd8ba8b1' \
  -H 'content-type: application/json' \
  -H "Authorization: Bearer $TOKEN" \
  -H 'origin: https://pisco.kloudfuse.io' \
  -H 'priority: u=1, i' \
  -H 'referer: https://pisco.kloudfuse.io/' \
  -H 'sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sentry-trace: 6eae349b8c0343169d195d61cd8ba8b1-a5c8db161f4afd46' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36' \
  --data-raw '{"operationName":null,"query":"\n    query GetLogsV2 {\n      getLogsV2(\n        cursor: null,\n        query: {and: []},\n        limit: 2000,\n        timestamp: \"2025-07-22T12:01:40-07:00\",\n        durationSecs: 300\n        sortBy: \"ts\"\n        sortOrder: Asc\n      ) {\n        cursor\n        events {\n          timestamp\n          logLine\n          fpString\n          fpHash\n          level\n          labels\n          facets {\n            name\n            dataType\n            content\n          }\n        }\n      }\n    }\n  ","variables":{}}'
bash
1 export TOKEN: Set the service account token.
2 curl…​: Download logs using the service account token.

The response ccontains logs filtered by the policy attached to the service account. In this example, Kloudfuse returns only logs from the prometheus namespace.

Response: Returned JSON Data
{
  "data": {
    "getLogsV2": {
      "cursor": "",
      "events": [
        {
          "timestamp": "2025-07-22T19:00:03.171Z",
          "logLine": "level=info ts=2025-07-22T19:00:02.381Z caller=compact.go:507 component=tsdb msg=\"write block\" mint=1753200000802 maxt=1753207200000 ulid=01K0SR3M4W33S6ZR9N2WEZ6W6H duration=48.895847ms",
          "level": "info",
          "labels": {
            "kube_namespace": "prometheus",
            "pod_name": "prometheus-pisco-server-0",
            ...
          }
        }
      ]
    }
  }
}
json

Trace Query Service

With the appropriate policy, such as {kube_namespace="dd-trace-example"}, the following example returns only services from the allowed namespace, instead of all 55 services.

Use service accounts with Trace query Kloudfuse APIs:
# Set your service account token (if not already set)
export TOKEN="glsa_vutX2rJ080fLHNaZISAFqmJHCBNxn6l8_5b746423"

# Query traces using the service account token
curl 'https://pisco.kloudfuse.io/api/v1/query?query=min(min_over_time(edge_latency_min%7Bkf_source%3D%22apm%22%2Cspan_type!%3D%22db%22%7D%5B300000ms%5D))%20by%20(service_hash%2C%20service_name)&time=2025-07-22T18:43:38.000Z' \
  -H 'accept: */*' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'content-type: application/json' \
  -H "Authorization: Bearer $TOKEN" \
  -H 'priority: u=1, i' \
  -H 'referer: https://pisco.kloudfuse.io/' \
  -H 'sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36'
bash