Skip to content

Creating a Service Account

You should use service accounts as your method for authenticating non-user accounts—such as APIs, applications, and services (collectively called machines)—to your Venafi tenant.

Service accounts use key pairs instead of passwords. A key pair consists of public key that Venafi Control Plane stores, and a private key stored on the machine connecting to Venafi Control Plane. You need to use key pairs that meet specific requirements.

By using service accounts rather than user accounts to authenticate, you'll be able to maintain access to machines previously managed by employees who might leave your team or company.

To create a new service account

  1. Log into Venafi Control Plane, and click Settings > Service Accounts.
  2. Click New.
  3. Choose the desired use case from the Select the Purpose list, and click Continue. The purposes available for you to choose depend on the Venafi Control Plane components you have licenses for.
  4. Enter a Name for your new service account.
  5. Select an Owning Team. This team owns the machine you want to create the service account for.
  6. Enter the number of days for which you want the account to remain valid in the Validity (days) field. You can select any number from 1 to 365 days.
  7. The remaining steps depend on the purpose you selected earlier:

    1. Select the desired Scope, and click Continue.

      • Distributed Issuance is the default scope for Venafi Firefly.
      • Kubernetes Discovery is the default scope for Venafi Kubernetes Agent.
    2. Select one of the following key generation options as required:

      1. Click the Auto-generate a keypair and download the private key radio button, and click Create.
      2. In the Credentials section, copy the public and private keys.

        Important

        Copy and store this private key securely as it cannot be recovered if lost. This is your only opportunity to copy this private key.

      Or:

      1. Click the Generate your own keypair and upload the public key radio button, and click Continue.
      2. In the Credentials section, provide the public key corresponding to the private key that your service will use. For your public key to be valid, it must be in PEM format and no longer than 2000 characters. The supported key algorithms are:

        • RSA in 2048, 3072, or 4096 key lengths
        • ECDSA: P256, P384, or P521
        • EDDSA: ED25519
    3. Click Finish to create the service account and return to the Service Accounts page.

    1. Select the desired Scope, and click Create. The following scopes are available if you have the appropriate licenses:

    2. In the Credentials section, copy and store safely the Venafi OCI registry address as well as the credential Username and Password.

      Important

      Store these authentication credentials securely as they cannot be recovered if lost. This is your only opportunity to copy these authentication credentials.

    3. Select the relevant installation option for your system:

      Note

      You must have kubectl installed on your system to complete the following steps.

      1. From the first text area, copy and run the kubectl create namespace venafi command to create the default namespace.
      2. Next, also from the first text area, copy and run the remaining code for the kubectl apply command to create a secret in Kubernetes.
      3. Copy and use the command in the second text area in this section to update the default Kubernetes service account to use the image pull secret, and enable all workloads in the namespace to use it.

      Note

      You must have the OpenShift CLI tool oc installed on your system to complete the following steps.

      1. From the first text area, copy and run the oc create namespace venafi command to create the default namespace.
      2. Next, also from the first text area, copy and run the remaining code for the oc apply command to create a secret in OpenShift.
      3. Copy and use the command in the second text area in this section to update the default OpenShift service account to use the image pull secret, and enable all workloads in the namespace to use it.
      1. Copy the generated content and save it as venafi_registry_docker_config.json.
    4. Click Finish to return to the Service Accounts page.