IMS Service Accounts
IMS Service Accounts provide access to IMS services without requiring a human sitting at a computer with a browser verifying logins. Some example use cases for IMS Service Accounts are:
- Continuous integration and delivery (CI/CD) pipelines
- Customer built and maintained services that interact with IMS APIs.
IMS Service Accounts are tied to OAuth Clients and are accessed by a set of long-lived Refresh Tokens. To exchange a Service Account's Refresh Token you must use the credentials of the OAuth Client that was specified at the Service Account creation time. For more information on exchanging Refresh Tokens for Access Tokens see the Using IMS Tokens guide and the Exchanging a Refresh Token for an Access Token code sample.
The permissions available to a Service Account are also specified at creation time, but can be modified later. Use the IMS Admin service to create and modify Service Accounts (documentation coming soon).
It is advisable to maintain rotation procedures for IMS Service Accounts. Every 3-6 months you should generate a new Refresh Token for your Service Account and revoke the old one. Use the IMS Admin service to generate and revoke Refresh Tokens for your Service Accounts (documentation coming soon).
Some best practices around Service Accounts:
- Create a single Service Account per service, and limit their permissions as much as possible.
- Create a single Service Account per IMS project, this is to ensure you can’t accidentally modify a live project when attempting to modify a testing one.
- Rotate Refresh Tokens at least every 6 months
- Service Account Refresh Tokens are sensitive and should be stored carefully. Consider using a secrets manager such as HashiCorp Vault or AWS Secrets Manager.