# Creating Service Accounts using the VGS CLI
## CLI Authentication with Service Accounts
The key difference in authentication with a service account is that you don't need to execute `vgs login` open the browser and input your credentials.
Instead, the authentication is happening automatically through the environment variables **VGS\_CLIENT\_ID** and **VGS\_CLIENT\_SECRET** which can be declared in the `.env` file:
Copy
```
VGS_CLIENT_ID=
VGS_CLIENT_SECRET=
```
In case of running in Docker, please check [Authentication in Docker](/vault/developer-tools/vgs-cli/docker.md).
## Creating Service Accounts
To create a service account for your organization, you need to do the following:
* Generate the service account configuration from the **vgs-cli** template and store it to the **service\_account.yaml** file by executing:
Copy
```
vgs generate service-account -t vgs-cli > service_account.yaml
```
Copy
```
apiVersion: 1.0.0
kind: ServiceAccount
data:
# Maximum amount of time before an access token expires, in seconds. (Defaults to
# 5 minutes.)
accessTokenLifespan: 300
# List of vaults which service account should have access to.
vaults:
- tntcs7thayd
# Non-unique name of the Service Account.
name: vgs-cli
# Scopes allow a Service Account to perform specific CLI commands.
scopes:
- name: access-logs:read
- name: organizations:read
- name: routes:write
- name: vaults:write
# An access token will not contain optional scopes unless the user requests them
# explicitly.
- name: financial-instruments:write
optional: true
- name: transfers:write
optional: true
- name: orders:write
optional: true
```
* If needed, change **name** and add/remove scopes according to your needs (check [Organization Resources](https://docs.verygoodsecurity.com/vault/developer-tools/vgs-cli/service-account#organization-resources) section) by editing **service\_account.yaml** file.
* Restrict service account access to specific vault(s) by adding their identifiers to **vaults**. If no vault(s) specified, service account won't have access to any vaults in the organization.
* Apply the service account configuration stored in the **service\_account.yaml** with your organization ID and execute:
Copy
```
vgs apply service-account -O -f service_account.yaml
```
As a result of the above-mentioned steps, you will have an output with two additional YAML fields:
Copy
```
clientId: ACxxxxxxx-vgs-cli-7Pvf5
clientSecret: 5f6cf436-6666-5555-4444-3975be84311e
```
Now, with **clientId** and **clientSecret** you can setup [Authentication](#authentication) and test the VGS CLI.
> If you do not store the **clientSecret** now, you will not be able to retrieve it again. Also, make sure to never store credentials in the version control system.
#### Name
The service account **name** can be a maximum of 20 characters and it's used for the generation of the **clientId** by using the following pattern:
**clientId** = \
**clientId** = `9 characters of ORGANIZATION_ID`-`name`-`5 random alphanumeric characters`
## Deleting Service Accounts
To delete a service account, execute the command:
```
vgs delete service-account -O
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.verygoodsecurity.com/enterprise-platform/access-management/service-accounts-for-programmatic-access/creating-service-accounts-using-the-vgs-cli.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.