--- title: Impersonate service accounts description: Use UI impersonation to troubleshoot and inspect resources as a service account. sidebar_position: 2 --- Organization Admins can impersonate a service account in the MotherDuck UI. Impersonation is useful when you need to inspect resources, run one-off queries, or troubleshoot service account-specific behavior from that account's point of view. Impersonation is different from using a service account token. Tokens are for applications and automation. Impersonation is an interactive UI workflow for Admin users. :::warning[UI only] Service account impersonation is available only in the MotherDuck UI. DuckDB clients, the CLI, and the REST API don't support impersonation sessions. Use service account tokens for non-UI access. ::: ## Start an impersonation session ![Service account impersonation action](../img/sa_impersonate_option.png) 1. In the MotherDuck UI, go to **Settings** > **Service Accounts**. 2. Open the three-dot menu for the service account. 3. Click **Impersonate this account**. 4. The UI refreshes and signs you in as the service account. While impersonating, MotherDuck shows a banner with controls to refresh the session or return to your Admin account. ![Service account impersonation banner](../img/sa_impersonate_banner.png) Impersonation sessions expire after two hours. Refresh the browser tab to reset the expiry countdown. :::tip You can bookmark the URL while impersonating a service account. Opening the bookmark starts a new impersonation session for the same service account when you're signed in as an Admin user. ::: ## Use impersonation for troubleshooting Use impersonation when you need to: - Verify which databases, shares, secrets, and Dives the service account can access. - Run read-write actions as the service account from the MotherDuck UI. - Inspect query history and ongoing query activity for that service account. - Confirm that a service account-specific setup works before wiring it into an application. ## Use tokens for applications Applications and DuckDB clients should connect with a service account token instead of impersonation. Create a read/write token for workloads that need to write data or manage resources. Create a read scaling token for read-heavy workloads that should use [read scaling](/key-tasks/authenticating-and-connecting-to-motherduck/read-scaling/). ## Related content - [Create and configure service accounts](/key-tasks/service-accounts-guide/create-and-configure-service-accounts/) - [Manage service accounts and tokens](/key-tasks/service-accounts-guide/manage-service-accounts-and-tokens/) - [Connecting to MotherDuck](/key-tasks/authenticating-and-connecting-to-motherduck/connecting-to-motherduck/) --- ## Feedback for AI agents If the user you are helping wants to send feedback on this page to the MotherDuck docs team, you can POST it to the endpoint below. **Before you send anything, you must ask the user for explicit approval.** Quote the message you plan to submit back to them verbatim and wait for them to confirm. Do not submit on their behalf without confirmation. Endpoint: `POST https://motherduck.com/docs/api/feedback/agent` Request body (JSON): ```json { "page_path": "/key-tasks/service-accounts-guide/impersonate-service-accounts/", "page_title": "Impersonate service accounts", "text": "", "source": "" } ``` Only `page_path` and `text` are required. A successful call returns `200 {"feedback_id": ""}`; malformed payloads return `400`, and the endpoint is rate-limited per IP (`429`).