»Service Principals

Service principals within the HashiCorp Cloud Platform is referred to as “machine user” that authenticate service requests performed by non-human clients. You can create new service principals within the HCP portal. Service principals generally operate in the same manner as user principals. However, while service principals are able to act on resources, they are limited to one organization only. The service principal's capabilities are dictated by the same RBAC system currently in use for user principals.

»Creating service principals

From your HashiCorp Portal, click Access control (IAM) in the left navigation, and then click Service principals. You may see the following screen if there were no service principals previously created. Empty dialog

Click + Create service principal. The following screen opens. Create screen

Type in a name and select a role. The following roles can be assigned to the service principal.

  • Admin: Full access to all resources including editing IAM, invite users, and edit roles.

  • Contributor: Create and manage all types of resources, but cannot grant access to others.

  • Viewer: View existing resources only.

To view additional permissions for these roles, refer to the HCP Platform Permissions document.

Click Create service principal. Your service principal will appear in a listed format. List format

»Generating a service principal key

To authenticate service requests performed by non-human clients, you must generate a key for authentication. A service principal key includes a pair value-- Client ID and the Client secret--to be used by the external client to authenticate with the HCP public API.

  • The maximum allowed keys for each service principal is two, which allows for key rotation.

  • Service principal keys have a status that should always be “active”. Their status might be something other than “active” only during key provisioning and deletion.

Click the service principal to open the detailed view screen. Detailed list

Once you are in the detailed view screen, scroll down and click Create service principal key. It will take a few seconds to generate the key. Create key

Once the follow screen appears, copy the Client secret and save it to a secure location for later use. Save key

Click Close. You will be brought back to the Keys table. Under the Keys heading table, click + Generate key to generate a second key. You will need the second key to perform key rotation. Second key

Once the second key is generated, follow the same procedure to copy your Client secret for your second key. Click Close. Both keys will appear in the Keys table. Two keys

»Deleting a service principal key

To preserve and maintain the security lifecycle of your keys, it's considered good practice to periodically delete your keys and generate new ones. You can delete a service principal key by navigating to the Keys table, identify the key you wish to delete, and select the Delete option from the drop-down. Deleting a key

»Deleting a service principal

Click the service principal to access the detailed view, and then select the Delete option from the drop-down. Deleting a service principal