Skip to main content
Service accounts are dedicated automation accounts that run automations independently of individual users. They are members of your organization and provide consistent identity and permissions for automated workflows. A service account in Ona provides:
  • Identity in your SCM - Automations appear as the service account in commits, PRs, and comments
  • Separation of agent and human activity - Clearly differentiate between automation work (service account) and human work (individual users), making it easy to track, audit, and manage agent activity separately
  • Consistent permissions - Automations run with predictable access regardless of individual user availability
Important limitations:
  • Service accounts are currently in the global members group (RBAC support coming later)
  • Only Personal Access Tokens (PATs) are supported now (OAuth integration coming later)

When to use service accounts

Use a service account for:
  • Event-driven automations - Pull request triggers that respond to repository events
  • Time-based automations - Scheduled jobs that run on a recurring basis
  • Shared ownership - Automations managed by multiple team members
  • Organizational processes - Workflows that represent team or company standards
Use your personal account for:
  • Personal workflows - Automations you own and control
  • One-time tasks - Manual migrations or updates you run once
  • Testing - Trying out automations before productionizing them
Best practice: Run pull request and time-based automations as service accounts to ensure they continue working regardless of individual user availability. Why use service accounts:
  • Ona comments on pull requests as the service account identity, making it easy to track agent activity
  • Commits and pull requests are clearly attributed to automation, not individual engineers
  • Service accounts provide stable authentication that doesn’t depend on personal tokens

Create a service account

  1. Navigate to Settings in the left panel
  2. Click Members
  3. Select Service Accounts
  4. Click Create New Service Account
  5. Enter a Name for the service account (e.g., “Automation Bot”)
  6. Add a Description explaining the service account’s purpose
  7. Click Create
Service account creation form

Configure Git authentication

Service accounts need Git authentication to interact with your source control management (SCM) system. This allows automations to clone repositories, commit changes, and create pull requests.

Add Git authentication

  1. Open the service account details page
  2. Click Add Git Authentication
  3. Select the environment class where the automation will execute
  4. Choose your Provider (GitHub or GitLab)
  5. Enter a Personal Access Token from your SCM
Git authentication configuration

Create a personal access token

The personal access token must be issued from your SCM provider: GitHub:
  1. Go to Settings > Developer settings > Personal access tokens > Tokens (classic)
  2. Click Generate new token
  3. Select scopes: repo, read:user, user:email, workflow
  4. Copy the token
GitHub documentation: Creating a personal access token GitLab:
  1. Go to Preferences > Access Tokens
  2. Enter a name and expiration date
  3. Select scopes: api, read_repository, write_repository
  4. Click Create personal access token
  5. Copy the token
GitLab documentation: Personal access tokens Important: Store the token securely. You won’t be able to see it again after creation.

Token permissions

Ensure the personal access token has permissions to:
  • Read repository contents
  • Create branches
  • Commit changes
  • Open pull requests
  • Read and write to the repositories the automation targets
  • Access user information (for proper attribution)
  • Trigger workflows (if automations need to run CI/CD)

Manage service accounts

Add additional Git authentication

Service accounts can have multiple Git authentication configurations for different runners or providers:
  1. Open the service account details page
  2. Click Add Git Authentication
  3. Configure authentication for another runner or provider

Delete a service account

  1. Navigate to Settings > Members > Service Accounts
  2. Click on the service account name
  3. Click Delete Service Account
  4. Confirm deletion
Warning: Deleting a service account will stop all automations using that account.

Security best practices

  • Rotate tokens regularly - Update personal access tokens every 90 days
  • Use minimal permissions - Grant only the permissions the automation needs
  • Monitor activity - Review service account actions in audit logs
  • Separate concerns - Use different service accounts for different automation types
  • Document ownership - Note which team owns each service account in the description

Troubleshooting

Authentication failures

If automations fail with authentication errors:
  1. Verify the personal access token is still valid and hasn’t expired
  2. Check the token has required permissions
  3. Regenerate the token if needed and update the service account configuration

Permission denied errors

If automations can’t access repositories:
  1. Verify the service account has access to the target repositories
  2. Check the runner configuration allows the service account
  3. Ensure the personal access token has correct scopes

Service account not appearing

If the service account doesn’t appear in automation configuration:
  1. Verify you have permissions to view service accounts
  2. Check the service account was created successfully
  3. Refresh the page

Next steps