> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Get started with 1Password Service Accounts
export const YouTubeVideo = ({src, title, alt}) => {
return
;
};
export const Small = ({children}) => {
return {children};
};
With 1Password Service Accounts, you can build tools to automate secrets management in your applications and infrastructure without deploying additional services.
Service accounts can:
* Create, fetch, edit, delete, and share items.
* Read environment variables from [1Password Environments](/environments).
* Create vaults.
* Delete vaults.
A service account can only delete a vault it created. See service account security.
* Retrieve information about users and groups.
Each service account has a [service account token](/service-accounts/security#service-accounts-and-token-generation) that you can provide as an environment variable for authentication. You can choose which vaults and [Environments](/environments) the service account can access and its permissions in each vault.
Service accounts have the following limitations:
* Service accounts have [rate limits and request quotes](/service-accounts/rate-limits/).
* You can't grant a service account access to your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault, or your default [Shared](https://support.1password.com/1password-glossary/#shared-vault) vault.
* Service accounts can only be granted read access to Environments.
* Service accounts only work with 1Password CLI version 2.18.0 or later. See [Use service accounts with 1Password CLI](/service-accounts/use-with-1password-cli/).
* You can't use service accounts with the [Kubernetes Operator](/k8s/operator/) (only the [Kubernetes Secrets Injector](/k8s/injector/)).
## Requirements
Before you can create and use service accounts, you'll need to:
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* Have adequate account permissions to create service accounts.
If you don't see the option to create service accounts, ask your administrator to [give you access to create and manage service accounts](/service-accounts/manage-service-accounts#manage-who-can-create-service-accounts).
## Create a service account
You can create a service account on 1Password.com or with [1Password CLI](/cli/).
Service account permissions, vault access, and Environment access are immutable. If you want to grant a service account access to additional vaults or Environments, change the permissions it has in the vaults it can access, or change its ability to create new vaults, you'll need to create a new service account with the appropriate permissions and access.
To create a service account on 1Password.com:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Open the [service account creation wizard](https://start.1password.com/developer-tools/infrastructure-secrets/serviceaccount/?source=dev-portal).
Or navigate to **Developer** > **Directory**, select **Other** under Infrastructure Secrets Management, then select **Create a Service Account**.
3. Follow the onscreen instructions:
1. Choose a name for the service account.
2. Choose whether the service account can create vaults.
3. Choose the vaults the service account can access.
You can't grant a service account access to your built-in Personal, Private, or Employee vault, or your default Shared vault.
4. Select the settings icon next to each vault to choose the permissions the service account has in the vault. This can't be changed later.
5. Choose which [1Password Environments](/environments) the service account can access. This can't be changed later.
6. Select **Create Account** to create the service account.
7. Select **Save in 1Password** to save the service account token in your 1Password account. In the next window, enter a name for the item and choose the vault where you want to save it.
The service account creation wizard only shows the service account token once. **Save the token in 1Password** immediately to avoid losing it. Treat this token like a password, and don't store it in plaintext.
You can find your new service account under "Service accounts" on the [**Developer**](https://start.1password.com/developer-tools/active) page.
Use the [service account creation wizard](https://start.1password.com/developer-tools/infrastructure-secrets/serviceaccount/?source=dev-portal) on 1Password.com if you want to create a service account that can access 1Password Environments.
To create a service account with 1Password CLI:
1. Make sure you have the latest version of [1Password CLI](/cli/get-started/) on your machine.
2. Create a new service account using the [`op service-account create` command](/cli/reference/management-commands/service-account#service-account-create):
```shell theme={null}
op service-account create --expires-in --vault ,
```
Available permissions: `read_items`, `write_items` (requires `read_items`), `share_items` (requires `read_items`)
Include the `--can-create-vaults` flag to allow the service account to create new vaults.
If the service account or vault name contains one or more spaces, enclose the name in quotation marks (for example, “My Service Account”). You don't need to enclose strings in quotation marks if they don't contain spaces (for example, myServerName).
Service accounts can't be modified after they're created. If you need to make changes, revoke the service account and create a new one.
3. Save the service account token in your 1Password account.
4. If you want to start using the service account with 1Password CLI, [export the token to the `OP_SERVICE_ACCOUNT_TOKEN` environment variable](/service-accounts/use-with-1password-cli#get-started).
For example, to create a service account named `My Service Account` that has read and write permissions in a vault named `Production`, can create new vaults, and expires in 24 hours:
```shell theme={null}
op service-account create "My Service Account" --can-create-vaults --expires-in 24h --vault Production:read_items,write_items
```
1Password CLI only returns the service account token once. **Save the token in 1Password** immediately to avoid losing it. Treat this token like a password, and don't store it in plaintext.
If your [sign-in address](https://support.1password.com/1password-glossary/#sign-in-address) changes, you'll need to [rotate your service account tokens](/service-accounts/manage-service-accounts#rotate-token).
## Next steps
Explore the following to learn about how you can use service accounts.
* [Use a service account with 1Password CLI.](/service-accounts/use-with-1password-cli/)
* [Manage a service account.](/service-accounts/manage-service-accounts/)
* [Integrate a service account with a CI/CD pipeline.](/ci-cd/)
* [Integrate a service account with Kubernetes.](/k8s/integrations/)
**Need help?**
[Join our Developer Slack workspace](/joinslack) to ask questions and provide feedback.