> ## Documentation Index
> Fetch the complete documentation index at: https://docs.meshagent.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Service Account Secrets

> Manage credentials owned by service accounts.

Service account secrets are credentials owned by a service account. Services and managed agents should run as that service account with `container.run_as` or agent `run_as`.

## CLI

Use `--subject` with the service account email, id, key, or name:

```bash bash theme={null}
meshagent secret list --subject agent@service.example.meshagent.dev
meshagent secret create registry-token \
  --subject agent@service.example.meshagent.dev \
  --type opaque \
  --value "$TOKEN"
```

## Roles

Service-account secret operations are protected by service-account roles:

* `secret_list` permits listing and searching secrets.
* `secret_accessor` permits direct retrieval when the secret is not `http_only`.
* `secret_manager` permits create, update, version, delete, metadata, annotation, and pull-secret management.
* `use_proxy_secrets` permits proxy use when the per-secret `use_proxy` grant also allows it.
* `run_service_as` permits configuring a service or managed agent to run as the service account.

Project admins inherit service-account secret management access through the project model.

## Pull Secrets

Image pull credentials attach to service accounts:

```bash bash theme={null}
meshagent secret add-pull-secret secret-123 \
  --project-id "$MESHAGENT_PROJECT_ID" \
  --subject builder@service.example.meshagent.dev
```

When a service runs as that service account, MeshAgent uses the account's pull secrets while pulling private images.
