Configurations for Workload Identity Manager¶
Configurations are the glue that tie all the parts together so your Workload Identity Manager can issue certificates. Configurations are groups of runtime settings that link the following together:
- The sub CA provider that provides the template for Workload Identity Manager's CA certificate. This sub CA provider will also issue Workload Identity Manager's CA certificate when it starts up.
- The policies used to determine which certificates Workload Identity Manager can issue to it's clients, and which policies those clients are allowed to request from Workload Identity Manager.
-
Client configuration defines which clients can interact with the Workload Identity Manager instances. This includes the allowed connection methods as well as authentication and authorization details.
You will need to determine whether your organization uses an IdP that supports OIDC or simple JWKS verification. In addition, you should know key details such as the OIDC discovery URL or the JWKS URI.
Tip
Before you create a Configuration, you will need to create a policy. Learn more
Create a configuration¶
- Sign in to Venafi Control Plane.
- Click Configurations > Issuer Configurations.
- On the Issuer Configurations page, click New.
- In the General section, enter a Name for your configuration.
- Select your Sub CA Provider from the list.
-
Select one or more Service Accounts that Workload Identity Manager instances can use to retrieve the associated configurations.
A single service account can be connected to and retrieve only one configuration. However, a specific configuration can be associated with multiple service accounts.
-
In the Advanced Security & Logging Settings section, to log issued certificates, select Log certificate issuance information, and optionally, Include raw certificate data (as described in Enabling Workload Identity Manager detailed certificate issuance logging).
Then, click Continue.
-
In the Client Configuration section, you have three configuration options:
Selecting both network client options
If you want to allow both kinds of network client functionality, select both the Allow network clients (REST, gRPC, remote cert-manager) and the Allow network clients authenticated with Instance Metadata checkboxes and follow the instructions outlined in the relevant tabs below.
Choose this option if you want to enable network clients to interact using the REST and gRPC APIs with registered or custom JWT claims. Use this option when the Workload Identity Manager Issuer instance and cert-manager are deployed in different environments.
Select one of the Client Identification options for JSON Web Token (JWT) claims:
-
Use registered JWT claims (e.g., sub, iss, aud) for simple identity identification. Define pre-authorized clients by specifying the following:
- Friendly name
-
Issuer URL
Note that verification keys are resolved using OIDC Discovery at
https://idp.example.com/.well-known/openid-configuration
. The URL must be reachable without authentication by the Workload Identity Manager instances. You can override by entering a custom JWKS URI.You can use the following command to get the Issuer URL:
kubectl get --raw "/.well-known/openid-configuration" | jq .issuer
-
Custom JWKS URI. This field is optional.
-
Subjects. The subject claim for token validation.
Populate this field with the subject (
sub
) values you want to use for token verification. A token is accepted only if its subject claim exactly matches one of the entries in this field. Use this to restrict verification to specific identities.For Kubernetes service accounts, use:
system:serviceaccount:<namespace>:<service-account-name>
. -
Allowed Policies. Use this field to specify the issuance policies clients that are permitted when requesting certificates.
Click Add to enter each client in the client list area.
-
In the Audience field, enter the target audience (aud) for validation purposes.
-
Select the Minimum TLS Protocol Version.
For the best protection, you should choose the highest level supported by your organization's servers and applications.
Use user-defined JWT claims for flexible identity at scale. Choose a client authentication and authorization type.
This setting controls how clients authenticate with Workload Identity Manager. Your organization probably already has one of these in place, so you just need to connect to it.
Note
You must have Workload Identity Manager v1.9.1 or later installed to use this option.
-
Specify the Issuer URL. This is used to retrieve metadata about the authorization server including the token endpoint.
-
Specify the Audience. This is a unique identifier that registers Workload Identity Manager with the identity provider.
-
If using an IdP that mandates specific claims, you can specify Alternative Claim Names for claims in the Workload Identity Manager configuration. Learn more
-
Select the Minimum TLS Protocol Version.
For the best protection, you should choose the highest level supported by your organization's servers and applications.
-
Specify the JWKS URIs to the trusted public key that Workload Identity Manager can use to validate incoming JWTs. These need to include the FQDN as well as the protocol. Example:
https://idp.example.com/jwks
. -
If using an IdP that mandates specific claims, you can specify Alternative Claim Names for claims in the Workload Identity Manager configuration. Learn more
-
Select the Minimum TLS Protocol Version.
For the best protection, you should choose the highest level supported by your organization's servers and applications.
-
Select the Minimum TLS Protocol Version.
For the best protection, you should choose the highest level supported by your organization's servers and applications.
Choose this option if you want to enable network clients to authenticate with the Workload Identity Manager Issuer instances using instance metadata provided by their cloud provider.
If you want to set up instance metadata authentication for Amazon Web Services, Microsoft Azure, or Google Cloud VM instances to request mTLS certificates, you can do so using a signed identity document instead of a client authorization type.
Depending on the service you want to use, select one or more of the following options, and enter the required information.
- Enter one or more AWS Account IDs.
- Enter one or more Regions. Regions are optional. If you do not include a region, then the IIDs for the AWS accounts are allowed for any region.
Enter one or more Subcription IDs.
- Enter one or more Project Identifiers. This field accepts both project numbers and project IDs.
- Enter one or more Regions. Regions are optional. If you do not include a region, then the IIDs for the Google Cloud projects are allowed for any region.
If the IID feature is enabled for any of the cloud providers, the Workload Identity Manager
config.yaml
file must specify theidentityDocument
section with theserver
to identify both the port, and either the DNS name or IP address where the IID endpoint will be available.To use this option, leave both checkboxes in the Client Configuration section unselected. Interaction with the Issuer instances via Unix Domain Sockets (UDS), as well as when cert-manager is deployed in the same environment, is always enabled. Only Allowed Policies need to be configured when using this option.
-
-
In the Allowed Policies field, specify the issuance policies that clients are permitted to use when requesting certificates. This setting applies to local clients, clients authenticated with Instance Metadata, and clients authenticated using custom JWT claims. It does not apply to clients authenticated with registered JWT claims.
- Click Create.
What's next?¶
You're done configuring your Workload Identity Manager settings in Venafi Control Plane. Now it's time to deploy your Workload Identity Manager server!