Impersonate service accounts
Organization Admins can impersonate a service account in the MotherDuck UI. Impersonation is useful when you need to inspect resources, run one-off queries, or troubleshoot service account-specific behavior from that account's point of view.
Impersonation is different from using a service account token. Tokens are for applications and automation. Impersonation is an interactive UI workflow for Admin users.
Service account impersonation is available only in the MotherDuck UI. DuckDB clients, the CLI, and the REST API don't support impersonation sessions. Use service account tokens for non-UI access.
Start an impersonation session
- In the MotherDuck UI, go to Settings > Service Accounts.
- Open the three-dot menu for the service account.
- Click Impersonate this account.
- The UI refreshes and signs you in as the service account.
While impersonating, MotherDuck shows a banner with controls to refresh the session or return to your Admin account.
Impersonation sessions expire after two hours. Refresh the browser tab to reset the expiry countdown.
You can bookmark the URL while impersonating a service account. Opening the bookmark starts a new impersonation session for the same service account when you're signed in as an Admin user.
Use impersonation for troubleshooting
Use impersonation when you need to:
- Verify which databases, shares, secrets, and Dives the service account can access.
- Run read-write actions as the service account from the MotherDuck UI.
- Inspect query history and ongoing query activity for that service account.
- Confirm that a service account-specific setup works before wiring it into an application.
Use tokens for applications
Applications and DuckDB clients should connect with a service account token instead of impersonation. Create a read/write token for workloads that need to write data or manage resources. Create a read scaling token for read-heavy workloads that should use read scaling.