Overview: Service Accounts¶
Use service accounts as your method for authenticating non-user accounts—such as APIs, applications, and services (collectively called machines)—to your Venafi tenant.
Service accounts can be used to:
- allow your Venafi Firefly instance to connect to Venafi Control Plane.
- allow Venafi Kubernetes Agent to connect to Venafi Control Plane.
- pull artifacts such as enterprise Kubernetes components from a Venafi OCI registry.
By using service accounts instead of user accounts to authenticate, you maintain access to machines previously managed by employees who leave your team or company.
Example...
Suppose you had a colleague named Jones who managed your Firefly deployments and another application running on AWS. Jones used his own user accounts (usernames and passwords) to authenticate to those machines. But he decides to move to another team.
After Jones leaves, nobody on your team can authenticate to Jones' machines. However, if Jones had set up service accounts before he left the organization, you and your team would have had uninterrupted access.
When you create a service account, you select an owning team from a list of all existing teams created in your tenant account.
Using a service account to connect Venafi Firefly or Venafi Kubernetes Agent to Venafi Control Plane relies on user generated key pairs rather than passwords. When you create a service account for either of these purposes, you use your public key.
When using service accounts to pull artifacts from a Venafi OCI registry, the service account creation wizard provides commands for creating a secret for Kubernetes or Red Hat OpenShift, along with a Docker Config file.
Who can create and manage service accounts?¶
Service accounts are tenant-wide. Depending on your assigned role, you can create, view, change or delete them. However, the Guest role can neither view nor manage service accounts.
| Role | Permissions |
|---|---|
| Resource Owner | Create, view, modify and delete only their own service accounts. |
| PKI Administrator | Create, view, modify and delete all accounts. This is true even if they're not the specified owner. |
| System Administrator | Create, view, modify and delete all accounts. This is true even if they're not the specified owner. |
| Guest | Cannot view or manage service accounts. |
Service accounts are restricted through scopes.