Skip to main content
POST
/
v1
/
regions
/
global
/
iam
/
service-accounts
/
{serviceAccountId}
/
credentials
Create service account credential
const options = {
  method: 'POST',
  headers: {Authorization: 'Bearer <token>', 'Content-Type': 'application/json'},
  body: JSON.stringify({expiresAt: '2023-11-07T05:31:56Z'})
};

fetch('https://api.k0rdent.ai/v1/regions/global/iam/service-accounts/{serviceAccountId}/credentials', options)
  .then(res => res.json())
  .then(res => console.log(res))
  .catch(err => console.error(err));
{
  "uid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "id": "cred-001",
  "serviceAccountId": "sa-pipeline-prod",
  "status": "active",
  "createdBy": "user-admin-001",
  "createdAt": "2023-11-07T05:31:56Z",
  "clientSecret": "plt_cs_cred-001_x9y8z7w6v5u4...",
  "selfLink": "/v1/iam/service-accounts/sa-pipeline-prod/credentials/cred-001",
  "expiresAt": "2023-11-07T05:31:56Z",
  "lastUsedAt": "2023-11-07T05:31:56Z",
  "lastUsedIp": "203.0.113.42"
}

Authorizations

Authorization
string
header
required

Bearer token authentication using OAuth2/OIDC tokens

Path Parameters

serviceAccountId
string
required

Service account resource identifier.

Body

application/json
expiresAt
string<date-time>

Requested expiration timestamp. Cannot exceed the org-level maximum credential lifetime. Defaults to org default if omitted.

Response

Credential created. The client_secret is included in this response only and cannot be retrieved again.

Credential metadata plus the client_secret. The secret is only returned at creation time.

uid
string<uuid>
required

Server-generated UUID. Immutable.

id
string
required

Credential identifier. Server-generated, immutable.

Example:

"cred-001"

serviceAccountId
string
required

The parent service account this credential belongs to.

Example:

"sa-pipeline-prod"

status
enum<string>
required

Current credential status.

  • active: can be used to authenticate.
  • expired: past expiresAt. Terminal; cannot be re-enabled.

Note: if the parent service account is disabled, all its credentials are effectively unusable regardless of their individual status.

Available options:
active,
expired
Example:

"active"

createdBy
string
required

User ID of the administrator who created this credential.

Example:

"user-admin-001"

createdAt
string<date-time>
required

Timestamp when the credential was created.

clientSecret
string
required

The client secret value. Store securely — this value cannot be retrieved again.

Example:

"plt_cs_cred-001_x9y8z7w6v5u4..."

selfLink
string<uri>

Server-defined URL for this resource.

Example:

"/v1/iam/service-accounts/sa-pipeline-prod/credentials/cred-001"

expiresAt
string<date-time>

Credential expiration timestamp. If not set at creation, defaults to the organization's configured maximum credential lifetime. Cannot exceed the org-level maximum.

lastUsedAt
string<date-time>

Timestamp of the last successful token mint using this credential. Null if never used.

lastUsedIp
string

IP address from which this credential was last used.

Example:

"203.0.113.42"