> ## Documentation Index > Fetch the complete documentation index at: https://docs.bytebase.com/llms.txt > Use this file to discover all available pages before exploring further. # Service Account Service accounts are machine identities designed for automated processes and applications. Unlike human [users](/administration/user-groups/overview), service accounts authenticate via API keys and are intended for programmatic access. ## Workspace vs Project Level Service accounts can be created at two levels: * **Workspace level** — Has access governed by workspace IAM policies. Suitable for cross-project automation. * **Project level** — Scoped to a single project, following the principle of least privilege. Suitable for isolated automation within one project. ## Create a Service Account 1. For workspace-level: go to **IAM & Admin** > **Service Accounts** tab and click **Add Service Account**. 2. For project-level: go to **Project** > **Manage** > **Service Accounts** and click **Add Service Account**. Service accounts cannot be part of [user groups](/administration/user-groups/overview). Since service accounts are for automated processes with specific access needs, including them in groups could grant unintended permissions. This is considered an [anti-pattern](https://cloud.google.com/iam/docs/best-practices-service-accounts#groups). ## Service Account vs Workload Identity | | Service Account | [Workload Identity](/administration/workload-identity/overview) | | -------------- | -------------------------------------- | --------------------------------------------------------------- | | **Credential** | Long-lived API key | Short-lived OIDC token | | **Best for** | Scripts, Terraform, general API access | CI/CD pipelines (GitHub Actions, GitLab CI) | | **Security** | Key must be stored as a secret | No secrets to manage | If your automation runs in a CI/CD platform that supports OIDC, prefer [Workload Identity](/administration/workload-identity/overview) for better security.