Use the following steps to create a service account for an application that will connect to Flexera One’s APIs. Service accounts are complimentary to refresh tokens. They can be given lesser privileges and can be decoupled from any specific user. Create a distinct service account for each application you wish to connect to Flexera One.
NOTE: The domain for any endpoints used must match the region where your org is hosted. For North America (NAM), use .com; for Europe, the Middle East, and Africa (EMEA), use .eu; for Asia Pacific (APAC), use .au.
NOTE: The ITAM Data API does not support the use of service accounts at this time.
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/service-accounts \
-H "Authorization: Bearer $USER_TOKEN" \
-d '{"name": "my application", "description": "Reads data from Flexera One APIs"}' -i
HTTP/2 201
...
location: /iam/v1/orgs/1105/service-accounts/2263
...
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/service-accounts/2263 \
-H "Authorization: Bearer $USER_TOKEN" | jq
{
"id": 2263,
"name": "my application",
"description": "Reads data from Flexera One APIs",
"createdBy": 121456,
"createdAt": "2023-07-10T20:28:48.531479Z",
"updatedAt": "2023-07-10T20:28:48.531479Z",
"kind": "iam#service-account",
"ref": "iam#service-account:2263"
}
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/roles \
-H "Authorization: Bearer $USER_TOKEN" | jq
[
...
{
"id": 678907,
"createdAt": "2020-03-20T16:18:56.542732Z",
"name": "iam_admin",
"capability": "iam",
"privileges": [
...
"iam:user:index",
"iam:user:show"
],
"kind": "iam#role"
},
...
]
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/access-rules/grant -X PUT -i \
-H "Authorization: Bearer $USER_TOKEN" -d '{
"role": {
"name": "iam_admin"
},
"subject": {
"ref": "ref::::iam:service-account:2263"
}
}'
HTTP/2 204
...
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/service-accounts/2263/clients \
-H "Authorization: Bearer $USER_TOKEN" -X POST
{"clientId":"<clientId>","clientSecret":"<clientSecret>","createdBy":121456,"createdAt":"2023-07-10T20:50:41.195629Z","kind":"iam#service-account-client"}
curl -X POST https://login.flexera.com/oidc/token -d \
"client_id=<clientId>&client_secret=<clientSecret>&grant_type=client_credentials" | jq
{
"access_token": "<accessToken>",
"expires_in": 3600,
"token_type": "Bearer"
}
curl -s https://api.flexera.com/iam/v1/orgs/$ORG_ID/users \
-H "Authorization: Bearer $ACCESS_TOKEN" | jq .
{
"values": [
{
"kind": "iam#user",
"ref": "iam#user:111222333",
"id": 111222333,
"email": "JDoe@flexera.com",
"firstName": "Jane",
"lastName": "Doe",
"createdAt": "2022-11-14T15:29:45.191995Z",
"updatedAt": "2023-06-28T20:40:14.999786Z",
"lastUILogin": "2023-06-28T20:40:15.705245Z",
"lastAPILogin": "2023-01-23T19:51:56.346877Z"
},
...
]
}
The application can continue using the access token to accomplish its tasks, replacing its token whenever necessary.
on Jul 13, 2023 02:13 PM - edited on May 03, 2024 09:50 AM by HollyM
Remember to edit the uri api.flexera.com to whatever geographic instance you're using e.g. api.flexera.eu / api.flexera.au
Otherwise you'll get an 401 unauthorized error.