Creating a Service Account¶

You should use service accounts as your method for authenticating non-user accounts—such as APIs, applications, and services (collectively called machines)—to your Venafi tenant.

Service accounts use key pairs instead of passwords. A key pair consists of public key that Venafi Control Plane stores, and a private key stored on the machine connecting to Venafi Control Plane. You need to use key pairs that meet specific requirements.

By using service accounts rather than user accounts to authenticate, you'll be able to maintain access to machines previously managed by employees who might leave your team or company.

To create a new service account¶

1. Sign in to TLS Protect Cloud.
2. Click Settings > Service Accounts.
3. Click New.
4. Choose the desired use case from the Use case list, and click Continue. The purposes available for you to choose depend on the Venafi Control Plane components you have licenses for.
5. Enter a Name for your new service account.
6. Select an Owning Team. This team owns the machine you want to create the service account for.
7. Enter the number of days for which you want the account to remain valid in the Validity (days) field. You can select any number from 1 to 365 days.

8. The remaining steps depend on the use case you selected earlier:

   Firefly, Kubernetes AgentVenafi TLS Protect DatacenterVenafi OCI Registry

   1. Select the desired Scope, and click Continue.

      • Distributed Issuance is the default scope for Venafi Firefly.
      • Kubernetes Discovery is the default scope for Venafi Kubernetes Agent.

   2. Select one of the following key generation options as required:

      1. Click the Auto-generate a keypair and download the private key radio button, and click Create.

      2. In the Credentials section, copy the public and private keys.

         Important

         Copy and store this private key securely as it cannot be recovered if lost. This is your only opportunity to copy this private key.

      Or:

      1. Click the Generate your own keypair and upload the public key radio button, and click Continue.

      2. In the Credentials section, provide the public key corresponding to the private key that your service will use. For your public key to be valid, it must be in PEM format and no longer than 2000 characters. The supported key algorithms are:

         • RSA in 2048, 3072, or 4096 key lengths
         • ECDSA: P256, P384, or P521
         • EDDSA: ED25519

   3. Click Finish to create the service account and return to the Service Accounts page.

   Note

   If you do not see this option in the Venafi Control Plane UI, please contact your Venafi sales representative for information on the correct Venafi Control Plane tier subscription you need.

   1. Select the desired Scope, and click Continue. Currently, there is just one option:

      • Certificates Discovered on Kubernetes Clusters

   2. If you have not done so already, use the terminal on your computer to generate the public/private keypair that your service will employ using ECDSA P-521 by issuing the following commands:

      # Generate a private key
      openssl ecparam -name secp521r1 -genkey -noout -out venafi-service-account-private.pem
      
      # Generate the public key for it
      openssl ec -in venafi-service-account-private.pem -pubout -out venafi-service-account-public.pem
      
      # Print the public key
      cat venafi-service-account-public.pem
      

   3. In the Credentials section, paste the public key corresponding to the private key that your service will use into the Public Key in PEM format field, and then click Finish to create the service account and return to the Service Accounts page.

   1. Select the desired Scope, and click Create. The following scopes are available if you have the appropriate licenses:

      • cert-manager: Enterprise cert-manager Components
      • Approver Policy Enterprise: Approver Policy Enterprise Component for cert-manager
      • Venafi Enhanced Issuer: Venafi Enhanced Issuer Component for cert-manager

   2. In the Credentials section, copy and store safely the Venafi OCI registry address as well as the credential Username and Password.

      Important

      Store these authentication credentials securely as they cannot be recovered if lost. This is your only opportunity to copy these authentication credentials.

   3. Select the relevant installation option for your system:

      KubernetesRed Hat OpenShiftDocker Config Format

      Note

      You must have kubectl installed on your system to complete the following steps.

      1. From the first text area, copy and run the kubectl create namespace venafi command to create the default namespace.
      2. Next, also from the first text area, copy and run the remaining code for the kubectl apply command to create a secret in Kubernetes.
      3. Copy and use the command in the second text area in this section to update the default Kubernetes service account to use the image pull secret, and enable all workloads in the namespace to use it.

      Note

      You must have the OpenShift CLI tool oc installed on your system to complete the following steps.

      1. From the first text area, copy and run the oc create namespace venafi command to create the default namespace.
      2. Next, also from the first text area, copy and run the remaining code for the oc apply command to create a secret in OpenShift.
      3. Copy and use the command in the second text area in this section to update the default OpenShift service account to use the image pull secret, and enable all workloads in the namespace to use it.

      1. Copy the generated content and save it as venafi_registry_docker_config.json.

   4. Click Finish to return to the Service Accounts page.

Related links¶

• Toggling service accounts on or off
• Editing service account settings
• Deleting service accounts
• Overview of service accounts
• Using service accounts in Firefly