> ## Documentation Index
> Fetch the complete documentation index at: https://datum-4926dda5-docs-api-reference-demo.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# ServiceAccount

> ServiceAccount is the Schema for the service accounts API.

<Note>
  API resource reference for **ServiceAccount**, part of the [IAM service](/api/iam/overview). To create or change one, see [Changing resources](/datumctl/resources/changing); to inspect, see [Reading resources](/datumctl/resources/reading).
</Note>

<Warning>
  This resource is part of the `v1alpha1` API and is subject to change. Fields and behavior may change in future releases.
</Warning>

## Identity

|         |                    |
| ------- | ------------------ |
| Group   | `iam.miloapis.com` |
| Version | `v1alpha1`         |
| Kind    | `ServiceAccount`   |
| Scope   | Platform           |

## Overview

A `ServiceAccount` represents a non-human identity that can authenticate to Datum Cloud, for use by automation, CI pipelines, and other machine-to-machine workloads. Once created, the platform computes a stable email address for the identity, and you control whether it can authenticate by setting its `state`. Set the state to `Inactive` to immediately prohibit new authentication and revoke existing sessions, then back to `Active` to restore access.

## Spec fields

| Field        | Type   | Required | Description                                                                                                                                                                                                                                         |
| ------------ | ------ | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `spec.state` | string | No       | The activation state of the service account, one of `Active` or `Inactive`. `Active` allows the service account to authenticate; `Inactive` prohibits authentication and revokes all existing sessions. This state can be safely changed as needed. |

## Status fields (read-only)

| Field               | Type      | Description                                                                                                                                                                                            |
| ------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `status.conditions` | \[]Object | Conditions that represent the current status of the ServiceAccount.                                                                                                                                    |
| `status.email`      | string    | The computed email of the service account, following the pattern `{name}@{namespace}.{project}.{global-suffix}`.                                                                                       |
| `status.state`      | string    | The current activation state (`Active` or `Inactive`) as observed from the auth provider. Tracks the state from the previous generation and is updated once a state change is successfully propagated. |

## Usage

```yaml theme={null}
apiVersion: iam.miloapis.com/v1alpha1
kind: ServiceAccount
metadata:
  name: ci-deployer
spec:
  state: Active
```

```bash theme={null}
datumctl apply -f serviceaccount.yaml
datumctl get serviceaccounts.iam.miloapis.com
datumctl describe serviceaccounts.iam.miloapis.com ci-deployer
```

<Tip>
  Run `datumctl explain serviceaccounts.iam.miloapis.com --recursive` to see the full, live field tree for this resource.
</Tip>
