[APPS-2351] Update service account info for App Builder and Workflows (#31204)

ksun154 · brett0000FF · web-flow · commit de5ecf39e82b · 2025-08-22T09:24:58.000-04:00
* update service account info

* Update content/en/actions/app_builder/access_and_auth.md

Co-authored-by: Brett Blue &lt;84536271+brett0000FF@users.noreply.github.com&gt;

---------

Co-authored-by: Brett Blue &lt;84536271+brett0000FF@users.noreply.github.com&gt;
diff --git a/content/en/actions/app_builder/access_and_auth.md b/content/en/actions/app_builder/access_and_auth.md
@@ -6,14 +6,45 @@ aliases:
     - /actions/app_builder/auth
 ---
 
-A few tools control access and authentication for apps and their components. 
+A few tools control access and authentication for apps and their components.
 
 ## App execution identity
 
-A published app runs using the Datadog user identity of its author. The author is listed both in the **All Apps** view and in **App Properties**.
+A published app runs using the Datadog user identity of its author, or a service account associated with the app. The author is listed both in the **All Apps** view and in **App Properties**.
 
 In edit mode, an app runs as the current editor.
 
+### Use a service account
+
+A service account can be associated with an app and act as the identity of the app when it runs. A service account can:
+- resolve the connections defined in the app queries at runtime
+- provide an identity for app executions
+- provide an identity for app [audit trails][7]
+
+To create a service account for an app, you must have either the Datadog admin role, or a custom role with the **Service Account Write** permission. The service account you create adopts your role and permissions. For more information on service accounts and permissions, see [Service accounts][2] or [Role based access control][3].
+
+#### Configure your app to run as a service account
+
+1. Click the cog (**Settings**) icon.
+1. Click **Manage app identity**.
+1. Select **Run as Service Account**.
+1. Select a role for your service account user or select an existing service account.
+1. Click **Save** to save the service account and apply the changes.
+
+When you run an app, the service account user resolves the connections defined in the app queries. Therefore, the service account user needs the `connections_resolve` permission. The Datadog Admin Role and the Datadog Standard Role include the `connections_resolve` permission.
+
+#### View service account details
+
+1. Click the cog (**Settings**) icon.
+1. Select **Manage app identity**.
+1. Click on your service account next to *Run As*.
+
+#### Remove a service account associated with an app
+
+1. Click the cog (**Settings**) icon.
+1. Select **Manage app identity**.
+1. Click **Remove service account**.
+
 ## Action credentials
 
 Because app [actions][1] connect with external software systems, you may need to authenticate your Datadog account to a corresponding integration. An app can run successfully only if every action that requires authentication can verify the identity of your Datadog account.
@@ -109,3 +140,4 @@ To restrict access to the app, perform the following steps in the app canvas:
 [4]: /account_management/rbac/
 [5]: https://app.datadoghq.com/app-builder/
 [6]: https://datadoghq.slack.com/
+[7]: /account_management/audit_trail/#overview
diff --git a/content/en/actions/workflows/access_and_auth.md b/content/en/actions/workflows/access_and_auth.md
@@ -41,22 +41,23 @@ To create a service account for a workflow, you must have either the Datadog adm
 You can dynamically create a service account for your workflow when you [add an automatic trigger][4].
 
 1. Click the cog (**Settings**) icon.
-1. Click **Create a service account**.
-1. Select a role for your service account user.
-1. Click **Create** to save the service account.
-1. Save your workflow to apply the changes.
+1. Click **Manage workflow identity**.
+1. Select **Run as Service Account**.
+1. Select a role for your service account user or select an existing Service Account.
+1. Click **Save** to save the service account and apply the changes.
 
 When you run a workflow, the service account user resolves the connections defined in the workflow actions. Therefore, the service account user needs the `connections_resolve` permission. The Datadog Admin Role and the Datadog Standard Role include the `connections_resolve` permission.
 
 #### View service account details
 
 1. Click the cog (**Settings**) icon.
-1. Select your service account from the dropdown menu.
+1. Select **Manage workflow identity**.
+1. Click on your service account next to *Run As*.
 
-#### Remove a service account associated with workflow
+#### Remove a service account associated with a workflow
 
 1. Click the cog (**Settings**) icon.
-1. Select your service account from the dropdown menu.
+1. Select **Manage workflow identity**.
 1. Click **Remove service account**.
 
 ## Action credentials
