Complete reference for managing service users via the Pangolin Admin CLI.
Service users provide API key-based authentication for programmatic access to Pangolin. They are ideal for:
- CI/CD pipelines
- Data integration tools
- Monitoring systems
- Microservices
Create a new service user with an API key.
Syntax:
pangolin-admin create-service-user \
--name <name> \
[--description <description>] \
[--role <role>] \
[--expires-in-days <days>]Arguments:
--name(required): Name of the service user--description(optional): Description of purpose--role(optional): Role assignment (default:tenant-user)- Valid values:
tenant-user,tenant-admin,root
- Valid values:
--expires-in-days(optional): Expiration in days from creation
Example:
pangolin-admin create-service-user \
--name "ci-pipeline" \
--description "GitHub Actions CI/CD" \
--role "tenant-user" \
--expires-in-days 90Output:
✅ Service user created successfully!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ IMPORTANT: Save this API key - it will not be shown again!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Service User ID: 550e8400-e29b-41d4-a716-446655440000
Name: ci-pipeline
API Key: pgl_AbCdEfGhIjKlMnOpQrStUvWxYz1234567890...
Expires At: 2026-03-18T19:00:00Z
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
List all service users for the current tenant.
Syntax:
pangolin-admin list-service-usersExample Output:
+--------------------------------------+---------------+-------------+--------+------------+------------+
| ID | Name | Role | Active | Last Used | Expires At |
+--------------------------------------+---------------+-------------+--------+------------+------------+
| 550e8400-e29b-41d4-a716-446655440000 | ci-pipeline | tenant-user | ✓ | 2 days ago | Never |
| 660e8400-e29b-41d4-a716-446655440001 | data-sync | tenant-user | ✓ | Never | 2026-06-01 |
+--------------------------------------+---------------+-------------+--------+------------+------------+
Get detailed information about a specific service user.
Syntax:
pangolin-admin get-service-user --id <service-user-id>Example:
pangolin-admin get-service-user --id 550e8400-e29b-41d4-a716-446655440000Output:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Service User Details
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ID: 550e8400-e29b-41d4-a716-446655440000
Name: ci-pipeline
Description: GitHub Actions CI/CD
Role: tenant-user
Active: Yes
Created At: 2025-12-18T14:00:00Z
Last Used: 2025-12-16T10:30:00Z
Expires At: 2026-03-18T19:00:00Z
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Update service user properties.
Syntax:
pangolin-admin update-service-user \
--id <service-user-id> \
[--name <new-name>] \
[--description <new-description>] \
[--active <true|false>]Arguments:
--id(required): Service user ID--name(optional): New name--description(optional): New description--active(optional): Enable/disable service user
Example - Update description:
pangolin-admin update-service-user \
--id 550e8400-e29b-41d4-a716-446655440000 \
--description "Updated: GitHub Actions + GitLab CI"Example - Deactivate service user:
pangolin-admin update-service-user \
--id 550e8400-e29b-41d4-a716-446655440000 \
--active falsePermanently delete a service user.
Syntax:
pangolin-admin delete-service-user --id <service-user-id>Example:
pangolin-admin delete-service-user --id 550e8400-e29b-41d4-a716-446655440000Output:
✅ Service user deleted successfully!
Warning: This action is permanent and immediately invalidates the API key.
Rotate the API key for a service user.
Syntax:
pangolin-admin rotate-service-user-key --id <service-user-id>Example:
pangolin-admin rotate-service-user-key --id 550e8400-e29b-41d4-a716-446655440000Output:
✅ API key rotated successfully!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ IMPORTANT: Save this new API key - it will not be shown again!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Service User ID: 550e8400-e29b-41d4-a716-446655440000
Name: ci-pipeline
New API Key: pgl_NewKeyXyZ123456789...
Expires At: 2026-03-18T19:00:00Z
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Important: The old API key is immediately invalidated.
-
Save API Keys Securely
- Store in secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.)
- Never commit to version control
- Never log in plaintext
-
Use Least Privilege
- Assign minimum required role
- Use
tenant-userfor most cases - Reserve
tenant-adminfor administrative tasks
-
Set Expiration
- Use
--expires-in-daysfor temporary access - Recommended: 90 days for production, 30 days for testing
- Use
-
Regular Rotation
- Rotate keys every 90 days
- Rotate immediately if compromised
- Update services with new key before old expires
-
Check Last Used
- Review
list-service-usersoutput - Identify unused service users
- Delete inactive service users
- Review
-
Audit Activity
- Monitor API access logs
- Track service user operations
- Alert on suspicious patterns
Use descriptive names that indicate:
- Purpose:
ci-pipeline,data-sync,monitoring - Environment:
prod-ci,staging-etl - Team:
analytics-team-bot,ml-pipeline
Cause: API key is incorrect, expired, or service user is inactive
Solutions:
- Verify API key is correct (check for typos)
- Check service user is active:
get-service-user --id <id> - Check expiration date hasn't passed
- Rotate key if needed:
rotate-service-user-key --id <id>
Cause: Insufficient permissions
Solutions:
- Ensure you're logged in as Tenant Admin or Root
- Check your JWT token is valid
- Re-login if token expired
Cause: Role format is incorrect or case-sensitive.
Solution: Use the exact case expected by the API (e.g., tenant-user, tenant-admin, root).
- ✅
--role "tenant-user" - ❌
--role "TenantUser"