# Working with Service Account

## **Overview** <a href="#tong-quan" id="tong-quan"></a>

**Service Account** is an identity that you can create in your account that has specific permissions. Service Account has some similarities to IAM users. Service Account and IAM User Account are both identities with Policies that define what the identity can and cannot do with GreenNode resources. However, Service Account is an identity used by an application or a machine, not a person, to make authorized API calls and access specified resources.

***

## Khởi tạo Service Account

## Create a Service Account <a href="#khoi-tao-service-account" id="khoi-tao-service-account"></a>

To create a Service Account, follow the steps below:

1. Log in to <https://iam.console.vngcloud.vn/> with Root User Account.
2. Select **Service Account** .
3. Select **Create a Service Account.**
4. In the **Add information** section , enter **the Name** you want. The Service Account name must be from 1 (minimum) to 50 (maximum) characters long and can only include uppercase letters, lowercase letters (az, AZ), numbers (0-9), periods (.), underscores (\_), hyphens (-) and spaces ( ). The Service Account name should not contain sensitive information (e.g. IP address, login password, etc.) and the Service Account name must be unique on a GreenNode account until the Service Account is deleted. For example, the following Service Account name is valid: SA\_Client\_tool\_01.
5. In the Trusted relationship field, enter Account Root IS if you want to add association information between the Service Account and the Root User Account.
6. Select **Next step** .
7. In the **Add permission** section , you can:
   1. Select 1 or more policies that you have to associate with the Service Account. The vIAM system supports you to assign multiple policies to a Service Account. If these policies contain independent permissions, they will complement each other (ie the permission list is merged). On the contrary, if these policies contain conflicting permissions, you will not be able to access the corresponding resources according to this permission list (ie the permission list is merged and when conflicting, they will cancel each other out).
   2. If the policy list does not have the policy you want, you can continue with the steps below and we accept policy creation after creating the Service Account.
8. Select **Copy** to copy the Secret key. You must collect this information to access vStorage using the Service Account.
9. Select **Download** to download this secret key and store it on your local device.
10. Select **Back to list** to return to the screen containing the Service Account list.

After you complete the 10 steps above, a Service Account has been created.

<figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-1c69f435bfb7c43a35e62870fc2b2e1796670c79%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

***

## Phân quyền làm việc với project (vStorage API) cho Service Account

## Assign permissions to work with the project to the Service Account <a href="#phan-quyen-lam-viec-voi-project-vstorage-api-cho-service-account" id="phan-quyen-lam-viec-voi-project-vstorage-api-cho-service-account"></a>

### Create an IAM Policy <a href="#khoi-tao-iam-policy" id="khoi-tao-iam-policy"></a>

To initialize a policy used to access vStorage resources, follow the steps below:

1. Log in to <https://iam.console.vngcloud.vn/> with Root User Account.
2. **Select the Policy** folder .
3. Select **Create a Policy** .
4. Enter **Name** and **Description** if given for Policy.
5. Select **Next step** .
6. Select **Product as&#x20;**<mark style="background-color:blue;">**vstorage**</mark>.
7. Select **Actions** :
   1. Select **Allow permissions** : by default, the vIAM system will always be on, which means allowing permissions to be applied to the policy. If you turn this mode off, the system will deny (reverse) the corresponding permissions.
      1. **Allow permissions** : allow access according to the selected action.
      2. **Deny permissions** : deny access according to the selected action.
   2. Select <mark style="background-color:blue;">**All vstorage actions**</mark> if you want to create a policy that has the right to perform all actions on vStorage. Or you can select some specific actions that you want to authorize for the Service Account.
8. Select **Resources** : select **All resources.**
9. Select **Request conditions:** enter special conditions for the policy if any.

   <figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-2e130231b9f7bcb03a2b250abc494bddaef653f5%2FScreenshot-4.png?alt=media" alt=""><figcaption></figcaption></figure>

### Attach IAM Policy to Service Account <a href="#attach-iam-policy-vao-service-account" id="attach-iam-policy-vao-service-account"></a>

Once you have created the desired Service Account and Policy, you will need to link the Service Account to the policy as per the instructions below:

1. Log in to <https://iam.console.vngcloud.vn/> with Root User Account.
2. Select the Service Account folder **.**
3. Select **the Service Account** you want to assign permissions to.
4. Select **Attach policies** .
5. Select the **policies** you want. The vIAM system supports you to assign multiple policies to a Service Account. If these policies contain independent permissions, they will complement each other (ie the permission list is merged). On the contrary, if these policies contain conflicting permissions, you will not be able to access the corresponding resources according to this permission list (ie the permission list is merged and when conflicting, they will cancel each other out).
6. Select **Attach**.

<figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-880ef034cb2201f204ed210f50522f683f332410%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

***

## Assign permissions to work with bucket/object to the Service Account <a href="#phan-quyen-lam-viec-voi-bucket-object-cho-service-account" id="phan-quyen-lam-viec-voi-bucket-object-cho-service-account"></a>

To grant access to bucket/object for Service Account, you need to grant permission via Bucket Policy, specifically the steps are as follows:

1. Log in to [https://vstorage.console.vngcloud.vn](https://vstorage.console.vngcloud.vn/storage/list) .
2. Select the **Bucket** you want to assign permissions to the Service Account.
3. Select the **Action** icon and select **Configure policy.**

   <figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-9b5cab09c5dc418f1e6b069feb2dd29ffeec51c8%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>
4. Here, you can choose the configuration for each **Statement** on the left or directly edit the JSON file in the right column. Specifically, the structure of a Bucket Policy includes:
   * **Version** : Specifies the version of the Bucket Policy (recommended `"2012-10-17"`).
   * **Statement** : Each policy will have one or more **Statements** (specific purposes of the policy).
     * **Effect** : `Allow`or `Deny`access.
     * **Principal** : The object granted access, which is the IAM vStorage User ID information you copied above
     * **Action** : Actions allowed on the bucket, for example: `s3:GetObject`(view object), `s3:PutObject`(upload object), `s3:DeleteObject`(delete object),…
     * **Resource** : Specific buckets and objects affected by the policy (using ARN to identify resources).
     * **Condition** : (Optional) Specific condition that restricts access.
5. Select **Save** to save the Bucket Policy configuration.

<figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-05da22752029301dab823fc34844059a8843c039%2FScreenshot%20from%202025-11-10%2013-55-00.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-19dff7076e2a68fa73296c0eace9bd001af840c0%2FScreenshot%20from%202025-11-10%2013-57-21.png?alt=media" alt=""><figcaption></figcaption></figure>

***

## Work with vStorage API via Service Account <a href="#thuc-hien-lam-viec-voi-vstorage-api-thong-qua-service-account" id="thuc-hien-lam-viec-voi-vstorage-api-thong-qua-service-account"></a>

Follow the steps below to work with vStorage via Service Account

1. Log in to [https://vstorage.console.vngcloud.vn](https://vstorage.console.vngcloud.vn/storage/list) .
2. Select the Integration folder **.**
3. Select the **vStorage API** icon .
4. In the **Authentication** section , you need to fill in the necessary information to configure your vStorage API including:
   1. Enter **the Client ID** . A **Client ID** is a string of characters used by the Service API to identify your application, and is also used to construct the "authorization URL" displayed to the user. You can create and manage **Client IDs** through the vIAM system. **The Client ID** is automatically generated when you create a new **Service Account** .
   2. Enter **the Client Secret** corresponding to **the Client ID** you just entered. The Client ID and Client Secret pair are created and managed by you through the vIAM system. You can select [Click here to manage your Client ID.](https://iam.console.vngcloud.vn/service-accounts) so we can navigate you to the vIAM system and in detail the Service Account management screens.
5. Once you've finished selecting your **authentication** configuration , select **Authentication** to go to the Configuration screen **. Here you can use the vStorage APIs directly, or you can use the API via Postman** . You can always come back here to change your **Authorization** information , then select **Authentication** again to update the S3 Rest API list with your new parameters.

For details, please refer to <https://docs.api.vngcloud.vn/service-docs/vstorage-api.html> .

<figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-4cce3d194606b41b167838b48be2f08f285ea4d4%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-a4b1f7ee57c4d9b880f49d2c046555f4d508b6c1%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1985221522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7rE7M1L7GYcwQzNGd0aB%2Fuploads%2Fgit-blob-f67bd118ea975efd9fb6322b4e768c801a4f0801%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

***

## Authorization with Service Account <a href="#xoa-service-account" id="xoa-service-account"></a>

To use the vStorage APIs, users will use the client ID and the client secret keys to be authorized via the authorization server (<https://iamapis.vngcloud.vn/accounts-api/v2/auth/token>) using the OAuth2 method.

**Header**

> 'Authorization':'Basic Base64(clientID:clientSecret)'

**Request body**

> 'grant\_type':'client\_credentials'
>
> 'scope':'email'

**Response**

> 'token\_type':'bearer'\
> 'access\_token':'koxoQrfdAhCFIRl1Sy897kRuHcOlswcW'\
> 'expires\_in':7200

If the credentials are authorized, an **access\_token** will be returned. Users will use this **access\_token** to access resources from the resource server.

**Example:**

> curl -X POST '<https://iamapis.vngcloud.vn/accounts-api/v2/auth/token'\\>
> -H 'Content-Type: application/json'\
> -H 'Authorization: Basic ZGM3MTYxNTYtMjQwMi00MDg2LTliYWItZGU5OTIxODVlYjU1OmJhYjYzYTZmLWYzOGUtNDZmNC05NjIyLTYzNTQwNGQ4MDFlNQ=='\
> -d '{ "grant\_type": "client\_credentials", "scope":"email" }'
>
> {"token\_type":"Bearer","access\_token":"eyJhbGciOiJSUz......GWug","expires\_in":1800,"refresh\_expires\_in":0}

***

## Delete Service Account <a href="#xoa-service-account" id="xoa-service-account"></a>

To cancel (delete) a previously created Service Account, follow the instructions below:

1. Log in to <https://iam.console.vngcloud.vn/> with Root User Account.
2. Select **Service Account** .
3. On the list of existing Service Accounts, select one or more Service Accounts that you want to cancel (delete).
4. Select **Delete** .

Once the Service Account is successfully cancelled, you will no longer be able to use this Service Account to access vStorage. Be careful when cancelling (deleting) a Service Account as you will not be able to recover this deleted account.