datumctl authenticate without a human at the keyboard. Instead of opening a browser, you point the CLI at a credentials file, and it signs in as the service account’s machine identity. Use this for continuous integration jobs, scheduled automation, and any headless runner where an interactive login is not possible.
Service accounts are created in the Datum Cloud portal, which is where you generate and download the credentials file. This page covers using those credentials with
datumctl. To create a service account and download its key, see the portal guide on service accounts.When to use a service account
Choose the authentication method that matches who — or what — is running the command:Interactive login
A person at a terminal. Run
datumctl login to authenticate through your browser (or datumctl login --no-browser for a device-code flow). Credentials refresh automatically and are tied to your user identity.Service account
A pipeline, cron job, or agent with no human present. Run
datumctl login --credentials <file> to sign in as a machine identity using a downloaded credentials file.- The command runs unattended, so no one can complete a browser or device prompt.
- You want a dedicated, auditable identity for automation rather than a personal account.
- You need the same credentials to work reproducibly across many runners.
Log in with a credentials file
Once you have downloaded a credentials JSON file from the portal, authenticate by passing its path todatumctl login:
datumctl reads the file, requests an access token for the service account, and stores the resulting session so subsequent commands are authenticated. After login you can run any command as the service account:
Service-account login is non-interactive: it does not open a browser and does not prompt you to pick a context. Set the organization or project your commands should target explicitly — see Contexts & scoping — or pass
--organization / --project on each command.Targeting a custom environment
The credentials file is issued for a specific Datum Cloud environment. For a self-hosted or otherwise custom environment, also pass that environment’s auth hostname so token discovery points at the right server:--hostname is auth.datum.net (production). You normally do not need --api-hostname — datumctl derives the API server from the auth hostname — but you can override it if your environment requires a specific API endpoint.
Confirming the active identity
To verify which identity is active, use:client_email is shown as the name:
The credentials file
The credentials file is a JSON document you download from the portal. It looks like this:| Field | Purpose |
|---|---|
type | Must be datum_service_account. datumctl rejects any other value. |
client_id | The service account’s identity. Required. |
private_key_id | Identifies which signing key is in use. Required. |
private_key | PEM-encoded private key used to sign the login request. Required. |
client_email | Human-readable identity, shown as the account name in datumctl auth list. |
token_uri, api_endpoint, scope | Environment and authorization details carried in the file. |
datumctl reports exactly what is wrong — a missing required field, an unreadable file, or a type that is not datum_service_account — so you can correct the file and retry. To inspect the token request in detail while troubleshooting, add --debug, which prints the login JWT’s claims to standard error.
Credential storage on headless runners
After a successful login,datumctl stores the session in your operating system’s keyring. On many headless CI runners no system keyring is available, so datumctl automatically falls back to an on-disk file at ~/.datumctl/credentials.json.
This fallback is expected on CI, but note:
- The file is written with owner-only (
0600) permissions, but is not encrypted. Treat the runner’s home directory as sensitive and use ephemeral runners where possible. - When the fallback engages,
datumctlprints a one-time warning noting that it is using file-based credential storage. This is informational — your commands still work.
Because the fallback file is unencrypted, prefer runners whose home directory is discarded after the job completes, and rely on your CI secret manager as the source of truth for the credentials file rather than persisting the stored session.
Related
- Create a service account in the portal — generate the credentials file this page consumes.
- Automating datumctl in CI/CD — wire service-account login into any pipeline, with credential helpers and structured errors.
- GitHub Actions — install and authenticate a service account in a GitHub workflow in one step.
- Logging in — the interactive browser and device-code flows for humans at a terminal.
- Managing accounts & tokens — list sessions, switch the active identity, and print access tokens.
- Contexts & scoping — set the organization or project your automated commands target.
- Output formats & scripting — machine-readable output and structured errors for automation.