Service account tokens teamenterprise
If you have service tokens created on or before July 18, 2023, please read this important update.
Service account tokens enable you to securely authenticate with the dbt Cloud API by assigning each token a narrow set of permissions that more precisely manages access to the API. While similar to User API tokens, service account tokens belong to an account rather than a user.
You can use service account tokens for system-level integrations that do not run on behalf of any one user. Assign any permission sets available in dbt Cloud to your service account token, which can vary slightly depending on your plan:
- Enterprise plans can apply any permission sets available to service tokens.
- Team plans can apply Account Admin, Member, Job Admin, Read-Only, Metadata, and Semantic Layer permissions set to service tokens.
You can assign as many permission sets as needed to one token. For more on permissions sets, see "Enterprise Permissions."
Generate service account tokens
You can generate service tokens if you have a Developer license and account admin permissions. To create a service token in dbt Cloud, follow these steps:
- Open the Account Settings page by clicking the gear icon on the right-hand side.
- On the left sidebar, click on Service Tokens.
- Click the + New Token button to generate a new token.
- Once the token is generated, you won't be able to view this token again so make sure to save it somewhere safe.
Permissions for service account tokens
You can assign service account tokens to any permission set available in dbt Cloud. When you assign a permission set to a token, you will also be able to choose whether to grant those permissions to all projects in the account or to specific projects.
Team plans using service account tokens
The following permissions can be assigned to a service account token on a Team plan. See the Enterprise permissions article for more information about what these roles are able to do.
- Account Admin — Account Admin service tokens have full
read + write
access to an account, so please use them with caution. A Team plan refers to this permission set as an "Owner role." - Job Admin
- Job Runner
- Metadata Only
- Member
- Read-only
- Semantic Layer Only
Enterprise plans using service account tokens
The following permissions can be assigned to a service account token on an Enterprise plan. For more details about these permissions, see "Enterprise permissions."
- Account Admin — Account Admin service tokens have full
read + write
access to an account, so please use them with caution. - Account Viewer
- Admin
- Analyst
- Billing Admin
- Database Admin
- Developer
- Git Admin
- Job Admin
- Job Viewer
- Manage marketplace apps
- Metadata Only
- Semantic Layer Only
- Security Admin
- Stakeholder
- Team Admin
Service token update
On July 18, 2023, dbt Labs made critical infrastructure changes to service account tokens. These enhancements improve the security and performance of all tokens created after July 18, 2023. To ensure security best practices are in place, we recommend you rotate your service tokens created before this date.
To rotate your token:
- Navigate to Account settings and click Service tokens on the left side pane.
- Verify the Created date for the token is on or before July 18, 2023.
- Click + New Token on the top right side of the screen. Ensure the new token has the same permissions as the old one.
- Copy the new token and replace the old one in your systems. Store it in a safe place, as it will not be available again once the creation screen is closed.
- Delete the old token in dbt Cloud by clicking the trash can icon. Only take this action after the new token is in place to avoid service disruptions.