> ## Documentation Index > Fetch the complete documentation index at: https://docs.murmur.dev/llms.txt > Use this file to discover all available pages before exploring further. # service-profile > Catalog resource that defines a non-human identity — credentials, secrets, and access control used by automated agents like Flights and bots. A [service profile](/concepts/secrets) is a catalog resource that defines a non-human identity for agents. Instead of running under a developer's personal credentials, an agent spawned with a [service profile](/concepts/secrets) commits as a bot author and authenticates with dedicated secrets. Each [service profile](/concepts/secrets) references [secrets](/concepts/secrets) by name for API keys, signing keys, and tokens. Access is controlled by [grants](/security/authorization) attached to the profile — only principals listed in a grant can assume the profile at spawn time. ## Fields | Name | Type | Required | Description | | ----------------------------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `name` | string | yes | Unique identifier within the tenant. DNS label format: `[a-z][a-z0-9-]{0,62}`. | | `description` | string | no | Human-readable description shown in the dashboard. Max 1024 bytes. | | `git_name` | string | no | Git author name for agents using this profile (e.g. `acme-deploy-bot`). Empty uses the default bot name. | | `git_email` | string | no | Git author email for agents using this profile. Empty uses the default bot email. | | `anthropic_api_key_secret` | string | no | [Secret](/concepts/secrets) name for the Anthropic API key. Empty falls back to the tenant-wide `ANTHROPIC_API_KEY` secret. | | `signing_key_secret` | string | no | [Secret](/concepts/secrets) name for the Ed25519 commit signing key. Empty falls back to the tenant-wide `SERVICE_SIGNING_KEY` secret. | | `github_token_secret` | string | no | [Secret](/concepts/secrets) name for a GitHub token. Empty uses a token minted from the installed app. | | `claude_oauth_token_secret` | string | no | [Secret](/concepts/secrets) name for a Claude subscription OAuth token. | | `claude_oauth_refresh_token_secret` | string | no | [Secret](/concepts/secrets) name for a Claude OAuth refresh token. | | `openai_api_key_secret` | string | no | [Secret](/concepts/secrets) name for an OpenAI/Codex API key. | | `ssh_public_keys` | string\[] | no | SSH public keys for `murmur ssh` access, in `authorized_keys` format. | | `steering_policy` | string | no | Name of a [steering policy](/catalog/steering-policy) that additionally gates events driving this profile's agents. The narrower of this and the event repo's policy wins, so a permissive repo policy never loosens a locked-down profile. Empty applies the repo policy only. | | `grants` | Grant\[] | no | Access [grants](/security/authorization) controlling who may assume this [service profile](/concepts/secrets). | ## Grant fields Each entry in `grants` specifies who can assume the [service profile](/concepts/secrets) and what permissions they hold. See [authorization](/security/authorization) for full details. | Name | Type | Required | Description | | -------------------- | --------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | `groups` | string\[] | conditional | [Group](/security/authorization) names in the same tenant. At least one of `groups` or `users` is required. | | `users` | string\[] | conditional | GitHub logins. At least one of `groups` or `users` is required. | | `inline` | object | conditional | Inline permission list. Exactly one of `inline` or `role` is required. | | `inline.permissions` | string\[] | yes | Permission strings in `{kind}.{verb}` format (e.g. `service-profile.assume`). | | `role` | string | conditional | Named [role](/security/authorization) reference, resolved at evaluation time. Exactly one of `inline` or `role` is required. | | `name_pattern` | string | no | Glob pattern restricting which resource names this grant applies to. Supports `${provider}` and `${username}` variables and trailing `*` wildcard. | ## Examples ### Create a service profile ```yaml theme={null} name: ci-builder description: "CI builder bot for automated PR creation" git_name: acme-ci-bot git_email: ci-bot@acme.dev anthropic_api_key_secret: ci-anthropic-key signing_key_secret: ci-signing-key grants: - groups: - platform-engineers inline: permissions: - service-profile.assume ``` ```bash theme={null} cat <<'EOF' | murmur set service-profile ci-builder name: ci-builder description: "CI builder bot for automated PR creation" git_name: acme-ci-bot git_email: ci-bot@acme.dev anthropic_api_key_secret: ci-anthropic-key signing_key_secret: ci-signing-key grants: - groups: - platform-engineers inline: permissions: - service-profile.assume EOF ``` ### Minimal service profile with tenant-wide fallbacks ```yaml theme={null} name: deploy-bot description: "Deploy bot using tenant-wide secrets" git_name: deploy-bot grants: - users: - octocat inline: permissions: - service-profile.assume ``` All secret fields fall back to tenant-wide defaults when left empty. The `git_email` falls back to the default bot email. ### Listing service profiles ```bash theme={null} murmur get service-profile ``` ``` NAME DESCRIPTION ci-builder CI builder bot for automated PR creation deploy-bot Deploy bot using tenant-wide secrets ``` ### Reading a single service profile ```bash theme={null} murmur get service-profile ci-builder ``` ## Errors | Code | Meaning | What to do | | --------------------- | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | `INVALID_ARGUMENT` | `name is required` | Provide a `name` field. | | `INVALID_ARGUMENT` | `name must match [a-z][a-z0-9-]{0,62}` | The name contains invalid characters. Use lowercase letters, digits, and hyphens. Must start with a letter. | | `INVALID_ARGUMENT` | `description exceeds 1024 byte limit` | Shorten the `description` to 1024 bytes or fewer. | | `INVALID_ARGUMENT` | `grants[N]: grant must specify at least one group or user` | Each grant needs at least one entry in `groups` or `users`. | | `INVALID_ARGUMENT` | `grants[N]: grant must specify inline permissions or a role reference` | Each grant needs either an `inline` permission list or a `role` reference. | | `INVALID_ARGUMENT` | `grants[N]: grant role reference must be non-empty` | A grant uses `role` but the value is empty. Provide a [role](/security/authorization) name. | | `INVALID_ARGUMENT` | `steering_policy: steering policy "" does not exist` | Reference an existing [steering policy](/catalog/steering-policy), or leave `steering_policy` empty to apply the repo policy only. | | `FAILED_PRECONDITION` | `cannot delete service-profile: referenced by agent` | An [agent](/concepts/agents) or [flight](/concepts/flights) references this [service profile](/concepts/secrets). Remove the reference before deleting. | ## Related * [Profiles and secrets](/concepts/secrets) — concept overview * [Service profiles guide](/security/service-profile) — step-by-step setup from the dashboard * [Authorization](/security/authorization) — grants, roles, and permissions * [steering-policy](/catalog/steering-policy) — additionally gates events driving this profile's agents * [Agents](/concepts/agents) — the resource that references a service profile at spawn time * [Flights](/concepts/flights) — multi-agent workflows that reference a service profile * [`murmur set`](/cli/set) — CLI command for creating and updating catalog resources * [`murmur get`](/cli/get) — CLI command for reading catalog resources