Skip to content
Coldrune

Service Accounts

Service accounts provide API key authentication for CI/CD pipelines, scripts, and automated systems.

Create a service account

Section titled “Create a service account”
coldrune service-account create --org my-org --name ci-deploy

The API key is displayed once and cannot be retrieved again. It starts with the cr_sa_ prefix.

Scope to a project

Section titled “Scope to a project”
coldrune service-account create --org my-org --name ci-deploy --project api-backend

A project-scoped service account can only access secrets within that project.

List service accounts

Section titled “List service accounts”
coldrune service-account list --org my-org

Revoke

Section titled “Revoke”
coldrune service-account revoke --org my-org --id <service-account-id>

Revoking also soft-deletes any ACL rules associated with the service account.

Usage

Section titled “Usage”

CLI

Section titled “CLI”

Set the COLDRUNE_API_KEY environment variable:

export COLDRUNE_API_KEY=cr_sa_...
coldrune secret get DB_PASSWORD --org my-org --project api --env prod

The CLI detects the cr_sa_ prefix and uses the X-API-Key header automatically.

REST API

Section titled “REST API”
curl http://localhost:7100/api/orgs/my-org/projects/api/envs/prod/secrets/DB_PASSWORD \
  -H 'X-API-Key: cr_sa_...'

CI/CD example (GitHub Actions)

Section titled “CI/CD example (GitHub Actions)”
steps:
  - name: Deploy with secrets
    env:
      COLDRUNE_API_KEY: ${{ secrets.COLDRUNE_API_KEY }}
      COLDRUNE_SERVER_URL: https://api.coldrune.com
    run: |
      coldrune run --org my-org --project api --env prod -- ./deploy.sh

ACL requirement

Section titled “ACL requirement”

Service accounts always require explicit ACL rules. They never bypass access control, even if created by an org owner.

# Grant the service account access
coldrune acl grant \
  --org my-org \
  --subject ci-deploy \
  --project api-backend \
  --env prod \
  --permission write

REST API

Section titled “REST API”
# Create
curl -X POST http://localhost:7100/api/orgs/my-org/service-accounts \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{"name": "ci-deploy"}'
# Response: {"id": "...", "name": "ci-deploy", "api_key": "cr_sa_..."}

# List
curl http://localhost:7100/api/orgs/my-org/service-accounts \
  -H 'Authorization: Bearer <token>'

# Revoke
curl -X DELETE http://localhost:7100/api/orgs/my-org/service-accounts/<id> \
  -H 'Authorization: Bearer <token>'