Backend

Service Accounts Explained

Learn service accounts for backend systems, including machine identity, API access, least privilege, secrets, rotation, audit logs, and risks.

Quick answer

A service account is a non-human identity used by an application, worker, script, integration, or automation system to access resources.

Service accounts are useful because they separate machine access from human user accounts. They should have narrow permissions, clear ownership, safe credentials, regular rotation, and audit logs.

Do not share one powerful service account across everything. Treat each service account as a production identity with its own lifecycle.

Why service accounts exist

Backend systems often need machine-to-machine access.

Examples:

  • A billing worker reads invoices.
  • A deployment job writes release metadata.
  • A reporting service queries analytics tables.
  • A webhook publisher calls partner APIs.
  • A background job writes files to storage.
  • A monitoring integration reads service health.

Using a human user’s credentials for these workflows is risky. The access outlives the person’s role, becomes hard to audit, and may break when the user’s account changes.

A service account gives the machine its own identity.

Service account vs user account

TopicUser accountService account
RepresentsA person.A machine, app, job, or integration.
LoginInteractive login, MFA, session.API key, OAuth client, workload identity, certificate.
OwnershipIndividual user.Team, service, or system owner.
PermissionsBased on user role and context.Based on service responsibility.
LifecycleJoiner, mover, leaver process.Create, rotate, disable, decommission.

A service account should not be a shortcut around access control. It should make access control more explicit.

Good naming

Names should identify purpose and owner.

Good examples:

svc-billing-worker-prod
svc-webhook-dispatcher-prod
svc-report-exporter-staging
svc-ci-deploy-prod

Weak examples:

admin
backend
integration
prod-key

Good names make alerts, logs, and access reviews easier.

Least privilege

A service account should have only the permissions required for its job.

If a reporting service only reads invoice summaries, it should not be able to delete customers or rotate API keys.

Examples:

invoices:read
reports:generate
webhooks:publish

Avoid broad permissions:

admin:all
*:*
owner

Read Least Privilege Explained and OAuth Scopes Explained for permission design.

Credential types

Service accounts can use different credential types:

CredentialCommon use
API keySimple service or partner access.
OAuth client credentialsCentral token issuance with scopes and short-lived access tokens.
mTLS certificateStrong service identity in controlled infrastructure.
Cloud workload identityCloud-native identity without long-lived static secrets.
SSH keyAutomation access to hosts or repositories.

The right type depends on the platform, threat model, and operational maturity.

Read OAuth Client Credentials Flow Explained for service-to-service OAuth.

Store secrets safely

Service account credentials should not live in source code, wiki pages, screenshots, Docker images, or build logs.

Use a secret manager or platform identity mechanism when possible.

Safe handling includes:

  • Store secrets outside the repository.
  • Limit who can read them.
  • Avoid printing them in logs.
  • Rotate them without downtime.
  • Track when they were last used.
  • Remove unused credentials.

Read Secret Management Explained for the broader secret lifecycle.

Rotation and decommissioning

Every service account needs a lifecycle.

A basic lifecycle:

create -> grant narrow permissions -> deploy credential -> monitor use -> rotate -> review -> disable -> delete

Rotation should not require an outage. A safe design lets a service use a new credential before the old one is removed.

When a service is retired, disable its account. Do not leave unused machine identities in production forever.

Logging and audit trails

Service account actions should be visible.

Useful log fields include:

  • Service account id.
  • Owning team.
  • Action.
  • Resource.
  • Outcome.
  • Request ID.
  • Source environment.
  • Timestamp.

For high-risk actions, audit logs should show exactly which service account performed the change.

Read Security Event Logging Explained for detection signals and Audit Logs Explained for evidence trails.

Common risks

The first risk is over-permissioned service accounts. One leaked credential can become full production access.

The second risk is shared accounts. If five services use one account, logs cannot tell which service did what.

The third risk is orphaned accounts. Nobody knows whether the account is still needed, so it remains active.

The fourth risk is static secrets that never rotate.

The fifth risk is human use of service accounts. If a person uses a machine identity for manual work, accountability becomes blurry.

Service accounts and APIs

For APIs, service accounts often map to clients or integrations.

An API might expose a token with:

client_id = billing-worker
scope = invoices:read invoices:write

The API should validate the client identity, required scopes, and resource boundaries.

Read API Authentication Best Practices for the protected API checklist and API Key Design Best Practices for key-based access.

Practical backend checklist

When creating a service account:

  • Give it a clear name and owner.
  • Use one account per service or integration boundary.
  • Grant only required permissions.
  • Store credentials in a secret manager or platform identity system.
  • Avoid shared human use.
  • Log actions with request IDs and account identity.
  • Rotate credentials on a schedule or after risk events.
  • Review last-used time and permissions.
  • Disable accounts when services are retired.
  • Document emergency revocation steps.

Service accounts are not just credentials. They are production identities and should be managed with the same seriousness as user access.

Read OAuth Client Credentials Flow Explained for service-to-service OAuth, API Authentication Best Practices for protected APIs, and Least Privilege Explained for narrow access. Read Secret Management Explained, Security Event Logging Explained, and Audit Logs Explained for operating service accounts safely. For the full sequence, browse the Backend Security Learning Path, Authentication Learning Path, and Topics.