service-profile

A service profile is a catalog resource that defines a non-human identity for agents. Instead of running under a developer’s personal credentials, an agent spawned with a service profile commits as a bot author and authenticates with dedicated secrets. Each service profile references secrets by name for API keys, signing keys, and tokens. Access is controlled by grants attached to the profile — only principals listed in a grant can assume the profile at spawn time.

Fields

Name	Type	Required	Description
`name`	string	yes	Unique identifier within the tenant. DNS label format: `[a-z][a-z0-9-]{0,62}`.
`description`	string	no	Human-readable description shown in the dashboard. Max 1024 bytes.
`git_name`	string	no	Git author name for agents using this profile (e.g. `acme-deploy-bot`). Empty uses the default bot name.
`git_email`	string	no	Git author email for agents using this profile. Empty uses the default bot email.
`anthropic_api_key_secret`	string	no	Secret name for the Anthropic API key. Empty falls back to the tenant-wide `ANTHROPIC_API_KEY` secret.
`signing_key_secret`	string	no	Secret name for the Ed25519 commit signing key. Empty falls back to the tenant-wide `SERVICE_SIGNING_KEY` secret.
`github_token_secret`	string	no	Secret name for a GitHub token. Empty uses a token minted from the installed app.
`claude_oauth_token_secret`	string	no	Secret name for a Claude subscription OAuth token.
`claude_oauth_refresh_token_secret`	string	no	Secret name for a Claude OAuth refresh token.
`openai_api_key_secret`	string	no	Secret name for an OpenAI/Codex API key.
`ssh_public_keys`	string[]	no	SSH public keys for `murmur ssh` access, in `authorized_keys` format.
`steering_policy`	string	no	Name of a steering policy that additionally gates events driving this profile’s agents. The narrower of this and the event repo’s policy wins, so a permissive repo policy never loosens a locked-down profile. Empty applies the repo policy only.
`grants`	Grant[]	no	Access grants controlling who may assume this service profile.

Grant fields

Each entry in grants specifies who can assume the service profile and what permissions they hold. See authorization for full details.

Name	Type	Required	Description
`groups`	string[]	conditional	Group names in the same tenant. At least one of `groups` or `users` is required.
`users`	string[]	conditional	GitHub logins. At least one of `groups` or `users` is required.
`inline`	object	conditional	Inline permission list. Exactly one of `inline` or `role` is required.
`inline.permissions`	string[]	yes	Permission strings in `{kind}.{verb}` format (e.g. `service-profile.assume`).
`role`	string	conditional	Named role reference, resolved at evaluation time. Exactly one of `inline` or `role` is required.
`name_pattern`	string	no	Glob pattern restricting which resource names this grant applies to. Supports `${provider}` and `${username}` variables and trailing `*` wildcard.

Examples

Create a service profile

name: ci-builder
description: "CI builder bot for automated PR creation"
git_name: acme-ci-bot
git_email: ci-bot@acme.dev
anthropic_api_key_secret: ci-anthropic-key
signing_key_secret: ci-signing-key
grants:
  - groups:
      - platform-engineers
    inline:
      permissions:
        - service-profile.assume

cat <<'EOF' | murmur set service-profile ci-builder
name: ci-builder
description: "CI builder bot for automated PR creation"
git_name: acme-ci-bot
git_email: ci-bot@acme.dev
anthropic_api_key_secret: ci-anthropic-key
signing_key_secret: ci-signing-key
grants:
  - groups:
      - platform-engineers
    inline:
      permissions:
        - service-profile.assume
EOF

Minimal service profile with tenant-wide fallbacks

name: deploy-bot
description: "Deploy bot using tenant-wide secrets"
git_name: deploy-bot
grants:
  - users:
      - octocat
    inline:
      permissions:
        - service-profile.assume

All secret fields fall back to tenant-wide defaults when left empty. The git_email falls back to the default bot email.

Listing service profiles

murmur get service-profile

NAME          DESCRIPTION
ci-builder    CI builder bot for automated PR creation
deploy-bot    Deploy bot using tenant-wide secrets

Reading a single service profile

murmur get service-profile ci-builder

Errors

Code	Meaning	What to do
`INVALID_ARGUMENT`	`name is required`	Provide a `name` field.
`INVALID_ARGUMENT`	`name must match [a-z][a-z0-9-]{0,62}`	The name contains invalid characters. Use lowercase letters, digits, and hyphens. Must start with a letter.
`INVALID_ARGUMENT`	`description exceeds 1024 byte limit`	Shorten the `description` to 1024 bytes or fewer.
`INVALID_ARGUMENT`	`grants[N]: grant must specify at least one group or user`	Each grant needs at least one entry in `groups` or `users`.
`INVALID_ARGUMENT`	`grants[N]: grant must specify inline permissions or a role reference`	Each grant needs either an `inline` permission list or a `role` reference.
`INVALID_ARGUMENT`	`grants[N]: grant role reference must be non-empty`	A grant uses `role` but the value is empty. Provide a role name.
`INVALID_ARGUMENT`	`steering_policy: steering policy "<name>" does not exist`	Reference an existing steering policy, or leave `steering_policy` empty to apply the repo policy only.
`FAILED_PRECONDITION`	`cannot delete service-profile: referenced by agent`	An agent or flight references this service profile. Remove the reference before deleting.

Profiles and secrets — concept overview
Service profiles guide — step-by-step setup from the dashboard
Authorization — grants, roles, and permissions
steering-policy — additionally gates events driving this profile’s agents
Agents — the resource that references a service profile at spawn time
Flights — multi-agent workflows that reference a service profile
murmur set — CLI command for creating and updating catalog resources
murmur get — CLI command for reading catalog resources

​Fields

​Grant fields

​Examples

​Create a service profile

​Minimal service profile with tenant-wide fallbacks

​Listing service profiles

​Reading a single service profile

​Errors

​Related