Creating service accounts dynamically¶
In automated systems, such as CI/CD pipelines, you may need to generate service accounts dynamically for the Discovery Agent deployed on your Kubernetes cluster.
To do this, you must first create a master service account with the svcaccount-write
scope using the CLI tool for CyberArk Certificate Manager. A master service account enables API clients and the CLI tool for CyberArk Certificate Manager to then create other service accounts with different scopes as required.
Follow the steps below to create a master service account, and then use it to create another service account dynamically.
Step 1: Create a master service account with the svcaccount-write
scope¶
- If you haven't done so yet, download and install the CLI tool for CyberArk Certificate Manager.
-
Use the following command to create a master service account and store the service account credentials in a
master-sa.json
file.venctl iam service-account custom-integration create --api-key XYZ --name "my-master-sa" --scopes svcaccount-write --output-file master-sa.json
Info
For instructions on how to get hold of your API key, see Obtaining your API key.
Step 2: Use the master service account to create other service accounts¶
Once you have a master service account created using the method shown above, you can then create other accounts by passing the master service account credentials to the --auth.key-file
flag in the relevant CLI tool for CyberArk Certificate Manager venctl iam service-account
create command, as in the following example:
venctl iam service-account agent create --name "my-agent-sa" --output secret --output-file agent-credentials.json --owning-team XYZ --auth.key-file master-sa.json
Info
For more information on CLI tool for CyberArk Certificate Manager service account commands, see service account commands.