Overview: Service Accounts¶
Use service accounts to authenticate and manage access for non-user accounts such as APIs, applications, and services, collectively referred to collectively as machines.
These accounts are designed to provide a secure and efficient way to handle machine-based interactions without the need for traditional user credentials.
Types of service accounts¶
When setting up a new service account, you can select from several predefined use cases, each tailored to specific operational needs within the Venafi environment.
Example use case
Using service accounts instead of user accounts to authenticate helps you maintain access to machines previously managed by employees who leave your organization.
Suppose you had a colleague named Jones who managed your Firefly deployments and another application running on AWS. Jones used his own user accounts (usernames and passwords) to authenticate to those machines. But he decides to move to another team.
After Jones leaves, nobody on your team can authenticate to Jones' machines. However, if Jones had set up service accounts before he left the organization, you and your team would have had uninterrupted access.
Here's a brief overview of each available service accounts:
Firefly¶
- Purpose: Connect a Firefly instance to Venafi Control Plane.
- Use case: Ideal for scenarios where a dedicated Firefly application needs secure and continuous interaction with Venafi Control Plane without manual authentication.
Kubernetes Agent¶
- Purpose: Facilitate secure connection between Venafi Kubernetes agents and Venafi Control Plane.
- Use case: Used primarily in environments where Kubernetes clusters must autonomously verify and manage certificates or configurations directly through Venafi Control Plane.
TLS Protect Datacenter¶
- Purpose: To authenticate TLS Protect Datacenter with Venafi Control Plane. This account must have the Venafi TLS Protect for Datacenter scope.
- Use case: Enables TLS Protect Datacenter to integrate with Venafi Control Plane. The Kubernetes Discovery Job in TLS Protect Datacenter retrieves certificates discovered using TLS Protect for Kubernetes and pulls them into the TLS Protect Datacenter inventory. This provides TLS Protect Datacenter customers a single view for all certificates.
Venafi Registry¶
- Purpose: Retrieve artifacts like enterprise Kubernetes components from the Venafi OCI registry.
- Use case: Essential for automated systems that require frequent access to update or pull configurations and components from the registry without human intervention.
Custom API Integration¶
- Purpose: Securely authenticate with Venafi Control Plane APIs using Workload Identity Federation.
- Use case: Supports scenarios where machines require a scalable and secure authentication mechanism to access APIs without traditional API keys. Learn more
Creating service accounts¶
Creating a service account involves a few straightforward steps:
- Select the use case: Choose the type of service account based on your desired use case.
- Configure details: Provide necessary details specific to the chosen service account type.
- Set credentials: Depending on the service account, you might need to supply credentials like API keys or configure token-based authentication.
To get started, select the service account that best matches your use case:
- Firefly or Kubernetes Agent service account
- Venafi Registry service account
- TLS Protect Datacenter service account
- Custom API Integration service account
Not sure which one to use? Learn more
Related links¶
API Reference