Creating service accounts dynamically¶
In automated systems, such as CI/CD pipelines, you may need to generate service accounts dynamically for the Venafi Kubernetes Agent deployed on your Kubernetes cluster.
To do this, you must first create a master service account with the svcaccount-write
scope using the Venafi CLI tool. A master service account enables API clients and the Venafi CLI tool to then create other service accounts with different scopes as required.
Follow the steps below to create a master service account, and then use it to create another service account dynamically.
Step 1: Create a master service account with the svcaccount-write
scope¶
- If you haven't done so yet, download and install the Venafi CLI tool.
-
Use the following command to create a master service account and store the service account credentials in a
master-sa.json
file.venctl iam service-account custom-integration create --api-key XYZ --name "my-master-sa" --scopes svcaccount-write --output-file master-sa.json
Info
For instructions on how to get hold of your API key, see Obtaining your API key.
Step 2: Use the master service account to create other service accounts¶
Once you have a master service account created using the method shown above, you can then create other accounts by passing the master service account credentials to the --auth.key-file
flag in the relevant Venafi CLI tool venctl iam service-account
create command, as in the following example:
venctl iam service-account agent create --name "my-agent-sa" --output secret --output-file agent-credentials.json --owning-team XYZ --auth.key-file master-sa.json
Info
For more information on Venafi CLI tool service account commands, see service account commands.