Service account commands

Service accounts are machine members of your organization, used by CI to provision infrastructure. They hold an organization role like any member, cannot log in, and authenticate only through OIDC trusts. All service-account commands require the org:service-accounts scope on your organization role, and are not available in personal workspaces.

create

Create a service account with the given organization role:

synthetiq service-account create <name> \
  --role-id <role-id>

<name> is a label you choose for the account (e.g. infra-apply).

Service account created.
  ID:    7d9e2f10-43aa-4c1e-9c70-2f6b1a8e5d23
  Name:  infra-apply

To let an external workload (e.g. CI) authenticate as the account, attach an OIDC trust with trust create. Find role ids with synthetiq role list. The printed id is what trust create takes as --service-account-id.

Flag	Description
`--role-id <id>`	Organization role for the service account (must be a service role, e.g. `CI Provision Apply`)
`--json`	Output as JSON

list

List the organization’s service accounts:

synthetiq service-account list

ID                                     NAME          ROLE                 TRUSTS   CREATED
7d9e2f10-43aa-4c1e-9c70-2f6b1a8e5d23   infra-apply   CI Provision Apply   1        Jun 12, 2026

Flag	Description
`--json`	Output as JSON (includes each account’s trusts)

update

Update a service account’s name or role:

synthetiq service-account update <service-account-id> [--name <name>] [--role-id <role-id>]

delete

Delete a service account:

synthetiq service-account delete <service-account-id>

Removes the account, its membership, and all trusts attached to it. Tokens already minted expire within 15 minutes; new exchanges fail immediately. Find role IDs (for --role-id) with role list.

Organization commands

Trust commands

⌘I

​create

​list

​update

​delete

create

list

update

delete