Today, Forge app contributors must be regular Atlassian user accounts. For security‑sensitive or automated scenarios (e.g. exporting production logs to an external SIEM/observability tool), we follow the recommended “dedicated bot user” pattern:

• Create a separate Atlassian user account
• Give it minimal permissions (e.g. Viewer + “View production logs” in the Forge Developer Console)
• Use an API token from that account, stored and rotated securely

This works functionally, but it has significant operational and security drawbacks compared to using Atlassian service accounts:

• We must provision and maintain an email inbox for the bot user
• We still have to manage a password and 2FA for a non‑human account
• The account appears like a “human” identity for lifecycle/offboarding, auditing, and policy
• Identity/IT teams need special handling to ensure the bot user is not cleaned up or altered by regular user lifecycle processes

Atlassian service accounts already solve many of these issues in Atlassian Administration (non‑human identities, central lifecycle, no mailbox, more appropriate controls), but they currently cannot be used as Forge app contributors.

Current behavior

• Forge contributors in the Developer Console must be human Atlassian accounts.
• Only these human users can be granted roles such as:
  • Viewer
  • Viewer with “View production logs”
  • Admin, etc.
• Atlassian service accounts cannot be added as contributors or assigned these roles.
• As a result, any automation that needs Forge access (e.g. to read production logs) must use a regular Atlassian user account and its API token.

Desired behavior

Allow Atlassian service accounts to be used as Forge app contributors, with the same role model as human contributors.

Concretely:

1. Add service accounts as valid Forge contributors
   • In the Forge Developer Console, allow selecting an Atlassian service account as a contributor.
   • Support the same roles and permissions (e.g. Viewer, Viewer with “View production logs”, Admin).
2. Support service accounts for Forge automation use cases
   • Allow API tokens / OAuth credentials associated with service accounts to access Forge Developer Console APIs and/or logging endpoints, subject to the contributor role assigned.
   • Ensure service accounts can be used safely for:
     • Accessing production logs for ingestion/export
     • Other automated “contributor‑like” tasks where no human is directly interacting with the UI
3. Align with least‑privilege and non‑human identity best practices
   • Ensure a service account can be:
     • Scoped only to the required Forge apps/workspaces
     • Granted only the minimum role, e.g. Viewer with “View production logs” but no administrative capabilities if not needed.