Introduction: Use the following steps to create a service account for an application that will connect to Flexera One’s APIs. Service accounts are complimentary to refresh tokens. They can be given lesser privileges and can be decoupled from any specific user. Create a distinct service account for each application you wish to connect to Flexera One. Please note that the domain for any endpoints used needs to match the region where your org is hosted.
NAM: .com
EMEA: .eu
APAC: .au
Instructions:
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/service-accounts \
-H "Authorization: Bearer $USER_TOKEN" \
-d '{"name": "my application", "description": "Reads data from Flexera One APIs"}' -i
HTTP/2 201
...
location: /iam/v1/orgs/1105/service-accounts/2263
...
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/service-accounts/2263 \
-H "Authorization: Bearer $USER_TOKEN" | jq
{
"id": 2263,
"name": "my application",
"description": "Reads data from Flexera One APIs",
"createdBy": 121456,
"createdAt": "2023-07-10T20:28:48.531479Z",
"updatedAt": "2023-07-10T20:28:48.531479Z",
"kind": "iam#service-account",
"ref": "iam#service-account:2263"
}
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/roles \
-H "Authorization: Bearer $USER_TOKEN" | jq
[
...
{
"id": 678907,
"createdAt": "2020-03-20T16:18:56.542732Z",
"name": "iam_admin",
"capability": "iam",
"privileges": [
...
"iam:user:index",
"iam:user:show"
],
"kind": "iam#role"
},
...
]
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/access-rules/grant -X PUT -i \
-H "Authorization: Bearer $USER_TOKEN" -d '{
"role": {
"name": "iam_admin"
},
"subject": {
"ref": "ref::::iam:service-account:2263"
}
}'
HTTP/2 204
...
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/service-accounts/2263/clients \
-H "Authorization: Bearer $USER_TOKEN" -X POST
{"clientId":"<clientId>","clientSecret":"<clientSecret>","createdBy":121456,"createdAt":"2023-07-10T20:50:41.195629Z","kind":"iam#service-account-client"}
curl -X POST https://login.flexera.com/oidc/token -d \
"client_id=<clientId>&client_secret=<clientSecret>&grant_type=client_credentials" | jq
{
"access_token": "<accessToken>",
"expires_in": 3600,
"token_type": "Bearer"
}
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/users \
-H "Authorization: Bearer $ACCESS_TOKEN" | jq .
{
"values": [
{
"kind": "iam#user",
"ref": "iam#user:111222333",
"id": 111222333,
"email": "JDoe@flexera.com",
"firstName": "Jane",
"lastName": "Doe",
"createdAt": "2022-11-14T15:29:45.191995Z",
"updatedAt": "2023-06-28T20:40:14.999786Z",
"lastUILogin": "2023-06-28T20:40:15.705245Z",
"lastAPILogin": "2023-01-23T19:51:56.346877Z"
},
...
]
}
More Details: You will need to use the api.flexera endpoint that matches the environment that your org is located in (NAM=.com, EMEA=.eu, and APAC=.au). Please note that the ITAM Data API does not support the use of service accounts at this time.
Jul 13, 2023 02:13 PM - edited Apr 15, 2024 09:40 AM
Remember to edit the uri api.flexera.com to whatever geographic instance you're using e.g. api.flexera.eu / api.flexera.au
Otherwise you'll get an 401 unauthorized error.