Skip to main content
GET
/
v1
/
regions
/
global
/
iam
/
service-accounts
/
{serviceAccountId}
/
credentials
/
{id}
Retrieve credential details
const options = {method: 'GET', headers: {Authorization: 'Bearer <token>'}};

fetch('https://api.k0rdent.ai/v1/regions/global/iam/service-accounts/{serviceAccountId}/credentials/{id}', options)
  .then(res => res.json())
  .then(res => console.log(res))
  .catch(err => console.error(err));
{
  "uid": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "id": "cred-001",
  "serviceAccountId": "sa-pipeline-prod",
  "status": "active",
  "createdBy": "user-admin-001",
  "createdAt": "2023-11-07T05:31:56Z",
  "selfLink": "/v1/iam/service-accounts/sa-pipeline-prod/credentials/cred-001",
  "expiresAt": "2023-11-07T05:31:56Z",
  "lastUsedAt": "2023-11-07T05:31:56Z",
  "lastUsedIp": "203.0.113.42"
}

Authorizations

Authorization
string
header
required

Bearer token authentication using OAuth2/OIDC tokens

Path Parameters

serviceAccountId
string
required

Service account resource identifier.

id
string
required

Credential resource identifier.

Response

Credential metadata.

A credential (client_secret) belonging to a service account. Multiple credentials can exist simultaneously for a single service account, enabling zero-downtime secret rotation: create a new credential, deploy it, then delete the old one.

The client_secret value is returned only at creation time and cannot be retrieved again.

Maximum of 5 active credentials per service account.

uid
string<uuid>
required

Server-generated UUID. Immutable.

id
string
required

Credential identifier. Server-generated, immutable.

Example:

"cred-001"

serviceAccountId
string
required

The parent service account this credential belongs to.

Example:

"sa-pipeline-prod"

status
enum<string>
required

Current credential status.

  • active: can be used to authenticate.
  • expired: past expiresAt. Terminal; cannot be re-enabled.

Note: if the parent service account is disabled, all its credentials are effectively unusable regardless of their individual status.

Available options:
active,
expired
Example:

"active"

createdBy
string
required

User ID of the administrator who created this credential.

Example:

"user-admin-001"

createdAt
string<date-time>
required

Timestamp when the credential was created.

selfLink
string<uri>

Server-defined URL for this resource.

Example:

"/v1/iam/service-accounts/sa-pipeline-prod/credentials/cred-001"

expiresAt
string<date-time>

Credential expiration timestamp. If not set at creation, defaults to the organization's configured maximum credential lifetime. Cannot exceed the org-level maximum.

lastUsedAt
string<date-time>

Timestamp of the last successful token mint using this credential. Null if never used.

lastUsedIp
string

IP address from which this credential was last used.

Example:

"203.0.113.42"