Skip to content

Service Accounts for Workload Identity Manager

Workload Identity Manager uses service accounts to connect to Certificate Manager - SaaS and retrieve linked configuration settings. Each service account corresponds to a single configuration.

Multiple instances with one service account

You can use multiple Workload Identity Manager instances with one service account, but they'll all have the same configuration settings. Monitoring and response speed will also be slightly degraded.

Prerequisites

To create a service account, you need a team to assign it to.

If using Workload Identity Federation (OIDC) authentication

Coordinating installation

Creating a service account in CyberArk Certificate Manager - SaaS requires details that only exist after Workload Identity Manager is installed in your cluster. If a different person will install Workload Identity Manager, coordinate these steps across both systems.

To authenticate with a JSON Web Token (JWT), get the following from your Kubernetes platform team:

  • The OIDC discovery document URL for the cluster where Workload Identity Manager is deployed.
  • The name and namespace of the Kubernetes service account used by Workload Identity Manager in your cluster, such as prod-firefly and venafi. These combine into the subject identifier system:serviceaccount:<namespace>:<name>.

  • The issuer URL for the cluster's OIDC identity provider, which Certificate Manager - SaaS uses to identify the cluster and verify service account tokens.

    Get the issuer URL

    Run the following command:

    kubectl get --raw /.well-known/openid-configuration | jq .issuer -r
  https://kubernetes.cluster.example.com

    Confirm that the issuer URL is accessible from Certificate Manager - SaaS in a web browser by appending /.well-known/openid-configuration, for example https://kubernetes.cluster.example.com/.well-known/openid-configuration.

    The browser must return JSON with issuer information.

  • The JWKS URI for the cluster, which Certificate Manager - SaaS uses to obtain the public keys for token verification.

    Get the JWKS URI

    Run the following command:

    kubectl get --raw /.well-known/openid-configuration | jq .jwks_uri -r
  https://kubernetes.cluster.example.com:6443/.well-known/jwks.json

    The JWKS URI is found in the same OIDC discovery document as the issuer URL.

If using key pair authentication

To authenticate with a key pair, which combines a private key on your machine and a public key shared with other devices, you'll need a new key pair for Workload Identity Manager.

Generate a key pair

On the device where Workload Identity Manager will run:

For EC_P256:

openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -out svc-acct-ec-priv-key.pem

openssl ec -in svc-acct-ec-priv-key.pem -pubout > svc-acct-ec-pub-key.pem

For RSA_2048:

openssl genrsa -out svc-acct-rsa-priv-key.pem 2048

openssl rsa -in svc-acct-rsa-priv-key.pem -pubout -outform PEM -out svc-acct-rsa-pub-key.pem

Step 1: Create a new service account

  1. Sign in to Certificate Manager - SaaS.

  2. Click Settings > Service Accounts.

  3. Click New.

  4. In Use Case, select Workload Identity Manager and click Continue.

  5. Add the following:

    Field Description
    Name Name that identifies the service account across the system.
    Owning Team Team responsible for managing the service account.
    Validity How many days the service account can be used before renewal. Defaults to 365.

  6. Confirm that the Scope is Distributed Issuance, as described in Scopes and service account permissions.

  7. Under Select authentication method, choose one of the following.

    1. Click Workload Identity Federation, then click Continue.

    2. Add the following:

      Field Description
      Issuer URL OIDC Issuer URL of the cluster.
      JWKS URI OIDC JWKS URI of the cluster or public location of the JWKS data, for example https://www.example.com:6443/.well-known/jwks.json.
      Subject Identifier Unique identifier for the subject in the issuing authority's namespace, with the format system:serviceaccount:<NAMESPACE>:<SERVICE ACCOUNT NAME>. For example, system:serviceaccount:venafi:prod-firefly.
      Audience Audience value set by the Workload Identity Manager Helm chart; enter vcp, which is the default.

    3. Click Finish.

    1. Click Key pair, then click Continue.
    2. Paste the contents of the pem file containing your public key.
    3. Click Finish.

Step 2: Save the client ID

  1. On the Service Accounts page, find the new service account.
  2. At far right, in the three-dot menu, click Copy Client ID and save the ID.

About the client ID

You'll use the client ID in a configuration file created on the Linux machine that runs Workload Identity Manager. You can deploy using Kubernetes with OIDC, Kubernetes with private key, or using Docker.

What's next?

With your service account configured, it's time to create a configuration.