> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Service Account

> Service accounts are headless principals for API and CLI access. Covers token generation, key management, profiles, and authentication for automation.

## Overview

A service account is one of the [principal types](/concepts/access-control) of an [org](/reference/org) that can be granted specific access permissions to perform headless operations against the [API](/api-reference/api).

A service account can be [mapped](#map-a-service-account-with-a-profile) to a [cpln profile](/cli-reference/commands/profile) and execute CLI commands on behalf of that account.

## Create a Service Account

Refer to the [Create a Service Account](/guides/create-service-account) guide for additional details.

## Built-in Service Accounts

The following service accounts are built-in and cannot be modified or deleted:

| Service Account Name | Description                                                                          |
| :------------------- | :----------------------------------------------------------------------------------- |
| controlplane         | Built-in service account used by Control Plane to interact with this org's resources |

## Map a Service Account with a profile

Using the following [CLI](/cli-reference/overview) command, a [profile](/cli-reference/commands/profile) will be created and mapped to a service account:

```bash theme={null}
cpln profile create PROFILE_NAME --token GENERATED_KEY
```

This profile can be set as the default profile by using the command `cpln profile set-default PROFILE_NAME` or by using the CLI option `--profile PROFILE_NAME` to override the default when executing a command.

## Service Account Keys

A service account can be associated with one or more **keys** that are generated by the platform. They are used to authenticate and authorize the service account to the API.

<Warning>
  When a new key is created, it will only be displayed and available for download **one time**.

  It cannot be retrieved again. If a key is lost, misplaced, or forgotten, it must be removed and regenerated.
</Warning>

After a new key has been generated and saved, the UI will display the name of the key (which matches the first sixteen characters of the key) and the description entered.

Individual keys can be removed if they are no longer used or have been compromised.

## Permissions

The permissions below are used to define [policies](/reference/policy) together with one or more of the four
[principal types](/concepts/access-control):

| Permission | Description                            | Implies                                    |
| :--------- | :------------------------------------- | :----------------------------------------- |
| addKey     | Add key to an existing service account |                                            |
| create     | Create new service accounts            |                                            |
| delete     | Delete service accounts                |                                            |
| edit       | Modify existing resources              | view                                       |
| manage     | Full access                            | addKey, create, delete, edit, manage, view |
| view       | Read-only access                       |                                            |

## Access Report

Displays the permissions granted to principals for the service account.

## CLI

To view the CLI documentation for Service Accounts, see the [Service Account CLI reference](/cli-reference/commands/serviceaccount).