Configuring Venafi Control Plane access for Venafi Connection¶
Learn how to configure remote access to the Venafi Control Plane REST API so that Venafi Connection can use them.
There are two ways you can configure remote access to the Venafi Control Plane REST API:
- Using the API key generated in the Venafi Control Plane UI.
- Configuring Venafi Control Plane for Datacenters (TPP).
Option 1: Using the API key¶
- Sign into the Venafi Control Plane UI.
- Click the you account icon on the top right, and then Preferences from the drop-down list.
- Copy your API key from the API keys tab.
Option 2: Configuring Venafi Control Plane for Datacenters (TPP)¶
In this example it is assumed that your application teams have their own user account and policy folder in Venafi TPP.
In the TPP UI, create a user account and generate a strong random password.
For more information on how to create a user account, see the TPP Administration Guide.
Retain the username / password for later when you need to share it with the platform team or upload it to a secret store. You need to perform this step for every team that requires access to the Venafi TPP API server.
Create an application integration. Venafi Enhanced Issuer needs permission to manage certificates using the TLS Protect Datacenter API. You configure this by creating an Application Integration.
For more information on API integrations, see the TPP Administration Guide.
Next, create a policy folder in the Policy Tree.
For more information on adding objects to Policy Tree, see the TPP Administration Guide.
Grant the user you created in Step 1 the following permissions: Write, Create, and Revoke.
For more information on assigning permissions to an object in Policy Tree, see the TPP Administration Guide.
Create a JWT mapping¶
This step is only required if you plan on using the secretless JWT Mapping authentication method. This method is limited to TLS Protect Datacenter (TPP) 22.4 or later. TLS Protect Cloud (VaaS) is not yet supported.
In the TPP UI, go to Platform > API > Default Settings, and click the JSON web token (JWT) checkbox.
You need to create one JWT Mapping for each user account and per Kubernetes cluster. You need to know the issuer URL of the given Kubernetes cluster. You can find that by running the following command:
kubectl get --raw /.well-known/openid-configuration | jq .issuer -r
In the screenshot below, the issuer URL is
In the Venafi Configuration Console, create the JWT mapping:
- Enter a Name. In the example below, the Kubernetes cluster name cluster-a with the Kubernetes service account name application-team-1 are used.
- Set the Audience field to
audand the Must match field to
tpp. You need set this same value when you configure the Venafi Connection.
Set the Subscriber field to
sub. The value must match the name of the Kubernetes service account that you use in Venafi Connection. The format of the name is as follows:Put all of the Kubernetes service accounts meant to be used with the Venafi Connection in the namespace