Skip to content

feat(api): add full service account support at instance, group, and project level#3361

Open
syphernl wants to merge 2 commits intopython-gitlab:mainfrom
syphernl:feat/extend_service_accounts
Open

feat(api): add full service account support at instance, group, and project level#3361
syphernl wants to merge 2 commits intopython-gitlab:mainfrom
syphernl:feat/extend_service_accounts

Conversation

@syphernl
Copy link
Copy Markdown

@syphernl syphernl commented Mar 5, 2026
edited
Loading

Changes

Extends service account support to cover all API levels and adds missing CRUD operations. Closes #2812. Supersedes #3109.

Instance-level service accounts (gl.service_accounts)

  • List: GET /service_accounts
  • Create: POST /service_accounts
  • Update: PATCH /service_accounts/:id (via .update() or .save())

Group-level service accounts (group.service_accounts)

  • Added update support: PATCH /groups/:id/service_accounts/:user_id
  • Added email parameter to create/update
  • Added order_by / sort list filters
  • Added personal access token sub-resource (service_account.access_tokens):
    list, create, delete, rotate — mirrors group access tokens

Project-level service accounts (project.service_accounts)

  • Full CRUD: list, create, update (PATCH), delete
  • Personal access token sub-resource (service_account.access_tokens): list, create, delete, rotate

Usage

# Instance level
sa = gl.service_accounts.create({"name": "bot", "username": "my-bot"})
sa.name = "renamed-bot"
sa.save()

# Group level
sa = group.service_accounts.create({"name": "ci-bot"})
token = sa.access_tokens.create({"name": "ci-token", "scopes": ["api"], "expires_at": "2026-01-01"})
token.rotate()
sa.delete()

# Project level
sa = project.service_accounts.create({"name": "deploy-bot"})
token = sa.access_tokens.create({"name": "deploy-bot-token", "scopes": ["read_repository"]})
project.service_accounts.delete(sa.id)

Notes

  • No GetMixin is added at any level. The API exposes list-only, not fetch-by-id.
  • Subgroup-level is covered by the group-level implementation (subgroups are groups in GitLab's data model).

Documentation and testing

@syphernl syphernl force-pushed the feat/extend_service_accounts branch 3 times, most recently from 154f447 to 358da71 Compare March 5, 2026 08:14
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 5, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.78%. Comparing base (659c648) to head (444c261).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3361      +/-   ##
==========================================
+ Coverage   92.16%   95.78%   +3.62%     
==========================================
  Files         100      100              
  Lines        6125     6170      +45     
==========================================
+ Hits         5645     5910     +265     
+ Misses        480      260     -220
Flag Coverage Δ
api_func_v4 83.74% <100.00%> (?)
cli_func_v4 78.73% <100.00%> (+0.15%) ⬆️
unit 90.32% <100.00%> (+0.08%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
gitlab/client.py 98.55% <100.00%> (+1.99%) ⬆️
gitlab/mixins.py 91.50% <ø> (+5.20%) ⬆️
gitlab/v4/objects/projects.py 98.95% <100.00%> (+<0.01%) ⬆️
gitlab/v4/objects/service_accounts.py 100.00% <100.00%> (ø)

... and 22 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@syphernl syphernl mentioned this pull request Mar 21, 2026
Open
@JohnVillalovos JohnVillalovos force-pushed the feat/extend_service_accounts branch from b67174c to 611dd0f Compare April 18, 2026 17:13
@JohnVillalovos JohnVillalovos requested a review from Copilot April 18, 2026 17:13
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds first-class support for GitLab Service Accounts across instance, group, and project scopes in the python-gitlab v4 object model, including personal access token sub-resources for group/project service accounts, plus docs and unit tests to validate the new endpoints.

Changes:

  • Introduces instance-level gl.service_accounts with list/create/update (PATCH) and save() support.
  • Expands group-level service accounts with update (PATCH), delete, and a personal_access_tokens sub-resource (list/create/delete/rotate).
  • Adds project-level service accounts CRUD and a matching personal_access_tokens sub-resource, with docs + unit tests.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
gitlab/v4/objects/service_accounts.py Implements instance/group/project service account managers + token sub-resources (create/list/update/delete/rotate) using existing mixins.
gitlab/client.py Exposes instance-level service_accounts manager on the GitLab client (gl.service_accounts).
gitlab/v4/objects/projects.py Adds service_accounts manager typing/import so project.service_accounts is available.
tests/unit/objects/test_service_accounts.py Adds unit tests for service account operations and token sub-resource operations across instance/group/project levels.
docs/gl_objects/service_accounts.rst New documentation page covering usage for all scopes and token sub-resources.
docs/api-objects.rst Registers the new service accounts documentation page in the API objects docs index.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

JohnVillalovos
JohnVillalovos approved these changes Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@JohnVillalovos JohnVillalovos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @syphernl

LGTM

I'll give @nejch an opportunity to review this. But if he doesn't have time I'll plan on merging it on Monday. If I forget feel free to update this to remind me.

@JohnVillalovos
Copy link
Copy Markdown
Member

JohnVillalovos commented Apr 19, 2026
edited
Loading

Also, I'm okay with this as a follow-up or updating this commit.

It would be good to update gitlab/mixins.py the RotateMixin.rotate() method and the @cli.register_custom_action decorator.

Same for ObjectRotateMixin

Thanks!

fix(mixins): register service account token classes in RotateMixin CL…
444c261 
…I actions

Add GroupServiceAccountAccessTokenManager, ProjectServiceAccountAccessTokenManager,
GroupServiceAccountAccessToken, and ProjectServiceAccountAccessToken to the
cli.register_custom_action cls_names in RotateMixin and ObjectRotateMixin.
@syphernl syphernl requested a review from JohnVillalovos April 19, 2026 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JohnVillalovos JohnVillalovos Awaiting requested review from JohnVillalovos

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support group-level service-accounts

3 participants

@syphernl @JohnVillalovos