Skip to content

Service Accounts for Firefly

Firefly uses service accounts to connect to the Venafi Control Plane, and to retrieve the configuration settings linked to that service account.

For Firefly, one service account will always connect to a single configuration. (Multiple Firefly servers can use the same service account, but all the servers will get that service account's configuration settings.)

The service accounts that have been added by people in your organization can be found in the Service Accounts inventory. Like other inventories in Firefly (and TLS Protect Cloud), you can search, filter, and export items in the inventory. The Service Accounts inventory is shared between TLS Protect Cloud and Firefly. Detailed documentation is available on service accounts, so here we'll just talk about how they are used in Firefly.


Before you can create a service account, you will need to have a team created that you can assign it to. Learn more

Create a new service account

  1. Sign in to Venafi Control Plane.
  2. Click Settings > Service Accounts.

  3. Click New, make sure {{ ff }} is selected, and then click Continue.

  4. Generate a new key pair so your Firefly instance can securely communicate with Venafi Control Plane.

    How do I generate a key pair in OpenSSL?

    Your service account will need a new key pair, which is a combination of a private key that stays on your machine and a public key you share with other devices. Learn more about public key cryptography.

    Here are the terminal commands you can run to generate a new key set.

    You will want to run these commands on the device where Firefly will run.

    (When you hover over each code block, there is a copy button on the right side.)

    For EC_P256, use the following commands:

    openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -out svc-acct-ec-priv-key.pem
    openssl ec -in svc-acct-ec-priv-key.pem -pubout > svc-acct-ec-pub-key.pem

    For RSA_2048 key pair, use the following commands:

    openssl genrsa -out svc-acct-rsa-priv-key.pem 2048
    openssl rsa -in svc-acct-rsa-priv-key.pem -pubout -outform PEM -out svc-acct-rsa-pub-key.pem
  5. Fill out the fields on the New Service Account modal.

    Field Description
    Name This will be used to identify this service account on other forms in the system. For example, when creating a configuration, you need to pick a service account, and they are listed using this name.
    Owning Team Select the team that is responsible for managing the service account. If the team you need isn't listed, you will need to create it using the Teams link on the menu bar.
    Scope For Firefly the scope must be Distributed Issuer.
    Validity Controls how long the service account can be used before it needs to be renewed.
    Public Key The public key data for your service account. You can copy and paste the contents of the file svc-acct-rsa-pub-key.pem from the previous step.
  6. Click Save to save then exit, or click Save & New to save then create a new service account.

    The validity period beings immediately.

    About validity periods

    The validity period is actually an arbitrary value, since the public key doesn't expire. It is a best practice from a security perspective, however, to set a validity period to enforce periodic key rotation.

  7. In the Service Account inventory, locate the service account you just created. At the far right side of the screen, click the more icon, then click Copy Client ID.

  8. Paste the client ID to a location you will be able to access later. You will paste this client ID in a configuration file you will create on the Linux machine that will run Firefly. You will use it in the Deploy Firefly step. (Deploy using Kubernetes or Deploy using Docker).

What's next?

With your service account configured, it's time to connect all the pieces of the puzzle together by creating a configuration.